The ThreatFox: Stealc IOCs rule detects potential adversary activity associated with the Stealc malware, which is known for stealing credentials and sensitive data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could lead to data exfiltration and lateral movement within the network.
IOC Summary
Malware Family: Stealc Total IOCs: 28 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 2[.]27[.]5[.]127:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 45[.]12[.]62[.]176:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 45[.]115[.]27[.]3:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 77[.]90[.]185[.]36:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 104[.]251[.]180[.]218:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 94[.]26[.]83[.]178:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 150[.]40[.]117[.]245:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 150[.]241[.]66[.]52:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 158[.]94[.]208[.]114:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 158[.]94[.]210[.]59:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 45[.]141[.]119[.]188:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 178[.]16[.]53[.]18:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 95[.]133[.]228[.]206:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 146[.]19[.]56[.]31:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 144[.]172[.]102[.]43:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 171[.]22[.]108[.]181:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 108[.]165[.]185[.]188:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 43[.]230[.]162[.]47:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 173[.]232[.]146[.]29:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 194[.]33[.]61[.]174:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 193[.]111[.]117[.]50:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 194[.]33[.]61[.]203:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 185[.]102[.]115[.]242:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 198[.]244[.]206[.]28:80 | botnet_cc | 2026-06-12 | 50% |
| ip:port | 168[.]93[.]214[.]29:80 | botnet_cc | 2026-06-12 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Stealc
let malicious_ips = dynamic(["94.26.83.178", "193.111.117.50", "198.244.206.28", "209.99.186.230", "2.27.5.127", "216.203.20.148", "45.12.62.176", "108.165.185.188", "43.230.162.47", "168.93.214.29", "144.172.102.43", "171.22.108.181", "150.40.117.245", "185.102.115.242", "150.241.66.52", "45.141.119.188", "194.33.61.203", "45.115.27.3", "104.251.180.218", "173.232.146.29", "77.90.185.36", "158.94.208.114", "181.174.165.186", "194.33.61.174", "158.94.210.59", "95.133.228.206", "146.19.56.31", "178.16.53.18"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["94.26.83.178", "193.111.117.50", "198.244.206.28", "209.99.186.230", "2.27.5.127", "216.203.20.148", "45.12.62.176", "108.165.185.188", "43.230.162.47", "168.93.214.29", "144.172.102.43", "171.22.108.181", "150.40.117.245", "185.102.115.242", "150.241.66.52", "45.141.119.188", "194.33.61.203", "45.115.27.3", "104.251.180.218", "173.232.146.29", "77.90.185.36", "158.94.208.114", "181.174.165.186", "194.33.61.174", "158.94.210.59", "95.133.228.206", "146.19.56.31", "178.16.53.18"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system cleanup using cleanmgr.exe
Filter/Exclusion: Exclude processes with cleanmgr.exe and msiexec.exe as they are part of Windows System Maintenance.
Scenario: Admin task to update Microsoft Endpoint Protection (MEP) using mpcmdrun.exe
Filter/Exclusion: Exclude processes where the command line includes mpcmdrun.exe with arguments related to updates or scans.
Scenario: Use of PowerShell.exe for routine system monitoring and log analysis
Filter/Exclusion: Exclude PowerShell scripts that run from known secure locations (e.g., C:\Windows\System32\) and have benign command-line arguments.
Scenario: Legitimate use of task scheduler to run wbadmin.exe for backup operations
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with wbadmin.exe and command-line flags related to backup or restore operations.
Scenario: System update process using wuauclt.exe (Windows Update)
Filter/Exclusion: Exclude processes where wuauclt.exe is running with update-related command-line switches such as /detectnow or /updatenow.