The detection identifies potential Azorult malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior to detect and mitigate advanced threats before they cause significant damage in their Azure Sentinel environment.
IOC Summary
Malware Family: Azorult Total IOCs: 2 IOC Types: md5_hash, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | 2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307 | payload | 2026-06-14 | 95% |
| md5_hash | 73da2c02c6f8bfd4662dc84820dcd983 | payload | 2026-06-14 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Azorult
let malicious_hashes = dynamic(["2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307", "73da2c02c6f8bfd4662dc84820dcd983"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using Azorult as part of a software inventory tool
Filter/Exclusion: Exclude processes related to softwareinventory.exe or updatechecker.exe from the detection logic.
Scenario: Scheduled job running Azorult as part of a network monitoring tool (e.g., PRTG Network Monitor)
Filter/Exclusion: Exclude processes with parent process prtg.exe or PRTGService.exe and check for known network monitoring tool signatures.
Scenario: Admin task using Azorult as a placeholder in a script for testing purposes
Filter/Exclusion: Exclude processes initiated from powershell.exe with script paths in known admin tool directories (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\) and check for Test-Script or Mock keywords in the command line.
Scenario: Legitimate use of Azorult in a security tool for threat simulation (e.g., Metasploit or Cobalt Strike)
Filter/Exclusion: Exclude processes with parent process msf.exe or cobaltstrike.exe and check for known security tool command-line arguments.
Scenario: False positive from a third-party tool using Azorult as a hash in a threat intelligence feed (e.g., ThreatIntel or CrowdStrike)
Filter/Exclusion: Exclude hashes that match known threat intelligence feeds and apply a whitelist of trusted IOC sources.