The ThreatFox: Luca Stealer IOCs rule detects potential adversary activity associated with the Luca Stealer malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats before they cause significant data loss or system compromise.
IOC Summary
Malware Family: Luca Stealer Total IOCs: 3 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | 2db7e2aa1c6452b8326f8bd485c7cf3db34e94ed | payload | 2026-06-14 | 95% |
| md5_hash | 8b56aebdbd532b68e68ac3d603176027 | payload | 2026-06-14 | 95% |
| sha256_hash | d776991e64f8abcdcae6fe99e48e83a7570a51712d0b6df25f72f5abaf99fbe4 | payload | 2026-06-14 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Luca Stealer
let malicious_hashes = dynamic(["2db7e2aa1c6452b8326f8bd485c7cf3db34e94ed", "8b56aebdbd532b68e68ac3d603176027", "d776991e64f8abcdcae6fe99e48e83a7570a51712d0b6df25f72f5abaf99fbe4"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using crontab
Description: A system administrator schedules a legitimate maintenance task using crontab that coincidentally matches the IOC pattern.
Filter/Exclusion: Exclude entries where the IOC is found in /etc/crontab or within a user’s crontab file (/var/spool/cron/*).
Scenario: Security Tool Using tcpdump for Network Monitoring
Description: The security team uses tcpdump to capture network traffic for analysis, and the captured data includes IP addresses or domains that match the Luca Stealer IOC.
Filter/Exclusion: Exclude traffic captured by tcpdump running under a known security tool or user (e.g., root, snort, or suricata).
Scenario: System Update Using yum or apt with Known Malicious Packages
Description: A system update process using yum or apt includes a package that has been flagged by ThreatFox, but is actually a legitimate update.
Filter/Exclusion: Exclude packages that are part of a known update repository (e.g., security-updates, main, updates) or match a known package name.
Scenario: Legitimate Admin Task Using ps or top for Process Monitoring
Description: An admin uses ps or top to monitor running processes, and the output includes a process name that matches the IOC.
Filter/Exclusion: Exclude processes running under known admin tools or user accounts (e.g., root, sysadmin, admin) and verify process ownership and command line arguments.
Scenario: Log Analysis Tool Using grep for Pattern Matching
Description: A log analysis tool like grep or awk is used to