The ThreatFox: SnappyClient IOCs rule detects potential adversary activity associated with the SnappyClient malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may be leveraging these IOCs to maintain persistence and steal sensitive data.
IOC Summary
Malware Family: SnappyClient Total IOCs: 4 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 138[.]124[.]186[.]2:7000 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 212[.]34[.]155[.]18:443 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 45[.]150[.]66[.]187:443 | botnet_cc | 2026-06-06 | 75% |
| domain | mdprzinwo.xyz | botnet_cc | 2026-06-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - SnappyClient
let malicious_ips = dynamic(["45.150.66.187", "212.34.155.18", "138.124.186.2"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.150.66.187", "212.34.155.18", "138.124.186.2"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SnappyClient
let malicious_domains = dynamic(["mdprzinwo.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup job, may trigger the rule if it matches the IOCs associated with SnappyClient.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or check for the presence of a known maintenance task name (e.g., CleanupTask).
Scenario: Admin-Initiated Software Deployment
Description: An administrator may deploy a legitimate application using a tool like msiexec.exe or setup.exe, which could have hashes or network connections matching the SnappyClient IOCs.
Filter/Exclusion: Exclude processes initiated by admin accounts or check for known deployment tools in the command line arguments.
Scenario: Log Collection or Monitoring Tool Activity
Description: A log collection tool like logparser.exe or splunkforwarder.exe may interact with the same network endpoints or execute similar commands as SnappyClient.
Filter/Exclusion: Exclude processes associated with known log collection tools or check for the presence of a log management system in the process tree.
Scenario: Database Backup Job Execution
Description: A database backup job using sqlcmd.exe or mysqldump.exe may generate network traffic or file system activity that matches the SnappyClient IOCs.
Filter/Exclusion: Exclude processes related to database backup tools or check for backup job names in the command line.
Scenario: Antivirus or Endpoint Protection Scan
Description: A legitimate antivirus or endpoint protection tool, such as mpcmdrun.exe (Microsoft Defender) or avgscan.exe, may perform actions that resemble SnappyClient behavior.
Filter/Exclusion: Exclude processes associated with known antivirus tools or check for the presence of a security software vendor in