The ThreatFox: Luca Stealer IOCs rule detects potential adversary activity associated with the Luca Stealer malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before significant data loss occurs.
IOC Summary
Malware Family: Luca Stealer Total IOCs: 3 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | 27af7e91f33800f4f01cf0df071c100b1faa9951 | payload | 2026-06-17 | 95% |
| md5_hash | 8b3cc6aa0f6b4a3880146323fec3f09d | payload | 2026-06-17 | 95% |
| sha256_hash | f678afbaa4b0fe4537c05f4f811b9d852e40f3739f1e1a16f46b66e93c7c6f8c | payload | 2026-06-17 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Luca Stealer
let malicious_hashes = dynamic(["27af7e91f33800f4f01cf0df071c100b1faa9951", "8b3cc6aa0f6b4a3880146323fec3f09d", "f678afbaa4b0fe4537c05f4f811b9d852e40f3739f1e1a16f46b66e93c7c6f8c"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Windows Update
Description: A system update process may trigger the detection due to the presence of a file or registry key that matches known IOCs of Luca Stealer.
Filter/Exclusion: Check the file_name field for *.msu or *.msi files and filter out updates from Microsoft or Windows Update sources.
Scenario: Scheduled Job for Log Management (e.g., Splunk or ELK)
Description: A scheduled job that runs a script to collect or rotate logs may use a tool or script that matches the IOC patterns of Luca Stealer.
Filter/Exclusion: Exclude processes associated with Splunk, Logstash, or ELK stack tools, and filter by process_name like splunkd.exe or logstash.
Scenario: Admin Task – PowerShell Script for Patch Management
Description: An admin may run a PowerShell script to apply patches or manage software updates, which could include scripts that resemble malicious behavior.
Filter/Exclusion: Filter by process_name like powershell.exe and check the script_name or command_line for known patch management tools such as Windows Update or Chocolatey.
Scenario: Legitimate File Transfer via WinSCP or FileZilla
Description: A legitimate file transfer process using WinSCP or FileZilla might involve files or paths that match the IOC patterns of Luca Stealer.
Filter/Exclusion: Filter by process_name like winscp.exe or filezilla.exe, and exclude transfers to/from known internal servers or shared drives.
Scenario: User-Initiated Download of Trusted Software (e.g., Adobe or Java)
Description: A user may download a trusted application like Adobe Reader or Java