The detection identifies potential Azorult malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior to detect and mitigate advanced threats before they cause significant damage in their Azure Sentinel environment.
IOC Summary
Malware Family: Azorult Total IOCs: 2 IOC Types: md5_hash, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | 2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307 | payload | 2026-06-14 | 95% |
| md5_hash | 73da2c02c6f8bfd4662dc84820dcd983 | payload | 2026-06-14 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Azorult
let malicious_hashes = dynamic(["2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307", "73da2c02c6f8bfd4662dc84820dcd983"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using Azorult as part of a custom script or tool
Filter/Exclusion: Exclude processes initiated by scheduled tasks with known legitimate names (e.g., TaskScheduler, schtasks.exe) and check for command-line arguments matching known benign scripts or tools.
Scenario: System update or patching tool using a file named Azorult.exe (due to naming similarity)
Filter/Exclusion: Exclude processes where the file path contains known update directories (e.g., C:\Windows\Temp\, C:\Program Files\Microsoft\Windows\), or where the process is initiated by wuauclt.exe or msiexec.exe.
Scenario: Admin task using Azorult as part of a custom log analysis tool
Filter/Exclusion: Exclude processes launched by taskmgr.exe or explorer.exe with command-line arguments referencing known log analysis tools (e.g., LogParser.exe, PowerShell.exe with specific -Command arguments).
Scenario: Legitimate software installation using a file named Azorult.exe
Filter/Exclusion: Exclude processes where the file is located in a software installation directory (e.g., C:\Program Files\, C:\Program Files (x86)\) and the parent process is a known installer (e.g., msiexec.exe, setup.exe).
Scenario: Security tool or EDR agent using a file named Azorult.exe for internal monitoring
Filter/Exclusion: Exclude processes where the file is located in a security tool directory (e.g., C:\Program Files\Microsoft Security Client\, C:\Program Files\Windows Defender\) and the parent process is a known security service (e.g., MsMpEng.exe, `