The ThreatFox: Loki Password Stealer (PWS) IOCs detect adversary behavior involving the exfiltration of credentials through a known password-stealing tool, indicating potential compromise of sensitive accounts. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate lateral movement and data exfiltration attempts early in the attack lifecycle.
IOC Summary
Malware Family: Loki Password Stealer (PWS) Total IOCs: 4 IOC Types: url, sha256_hash, sha1_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | a1e49c1cf7db97c042a5e5403fed0c79 | payload | 2026-06-13 | 95% |
| sha256_hash | f2cbfb04c06d7a29349769b1c9b2c5c6b9b34f1d9f827d89b444016069f36656 | payload | 2026-06-13 | 95% |
| sha1_hash | 6eaf280a71db28b3557ebed4073412a6357f08c8 | payload | 2026-06-13 | 95% |
| url | hxxp://abscete.info/ret/two/fre.php | botnet_cc | 2026-06-13 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Loki Password Stealer (PWS)
let malicious_urls = dynamic(["http://abscete.info/ret/two/fre.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Loki Password Stealer (PWS)
let malicious_hashes = dynamic(["a1e49c1cf7db97c042a5e5403fed0c79", "f2cbfb04c06d7a29349769b1c9b2c5c6b9b34f1d9f827d89b444016069f36656", "6eaf280a71db28b3557ebed4073412a6357f08c8"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that imports a CSV file containing user credentials for reporting purposes.
Filter/Exclusion: Exclude PowerShell scripts that use Import-Csv or Get-Content with known internal CSV files (e.g., C:\Windows\System32\config\user.csv).
Scenario: A Windows Task Scheduler job is configured to run a legitimate script that queries the Local Security Authority Subsystem Service (LSASS) for audit purposes.
Filter/Exclusion: Exclude tasks that use logonui.exe, lsass.exe, or are scheduled under the System or Administrator user account with known audit scripts.
Scenario: A Windows Admin Center or PowerShell DSC (Desired State Configuration) job is deployed to configure user passwords or enforce password policies across the domain.
Filter/Exclusion: Exclude processes associated with Microsoft.PowerShell or Microsoft.Windows.PowerShell and filter out commands like Set-LocalUser or Set-ADUser.
Scenario: A SQL Server Agent Job is configured to export database credentials to a log file for compliance or backup purposes.
Filter/Exclusion: Exclude jobs that run under the SQLAgent service account and involve writing to known log directories (e.g., C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Log\).
Scenario: A Windows Event Log collection tool (e.g., Event Viewer or Splunk) is configured to gather logs from multiple servers, including credentials in event records.
Filter/Exclusion: Exclude processes related to eventvwr.exe, wevtutil.exe, or any known log collection tools, and filter out events with specific event IDs (e.g.,