The ThreatFox: Stealc IOCs rule detects potential adversary activity involving the Stealc malware, which is known for stealing credentials and sensitive data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Stealc for lateral movement and data exfiltration.
IOC Summary
Malware Family: Stealc Total IOCs: 4 IOC Types: sha1_hash, sha256_hash, url, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://151[.]240[.]151[.]64/9966f4d17e8f4875aad6.php | botnet_cc | 2026-06-14 | 75% |
| md5_hash | c971ef7fa5032f6d999550a0aba36a4d | payload | 2026-06-14 | 95% |
| sha256_hash | 9cfc0394511e10e7fa965aa348c134edc47f8f2af617b92975b3ac573fda95ee | payload | 2026-06-14 | 95% |
| sha1_hash | 0cb2f8336c23e581668238619de3dc6edb10cef4 | payload | 2026-06-14 | 95% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Stealc
let malicious_urls = dynamic(["http://151.240.151.64/9966f4d17e8f4875aad6.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Stealc
let malicious_hashes = dynamic(["c971ef7fa5032f6d999550a0aba36a4d", "9cfc0394511e10e7fa965aa348c134edc47f8f2af617b92975b3ac573fda95ee", "0cb2f8336c23e581668238619de3dc6edb10cef4"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system diagnostics
Description: A scheduled task runs a diagnostic tool like Process Explorer or Sysinternals tools to monitor system performance.
Filter/Exclusion: Exclude processes or commands associated with Sysinternals or Process Explorer using the process.name field.
Scenario: Admin task to clean temporary files
Description: An administrator uses a script or tool like CCleaner or Disk Cleanup to remove temporary files and logs.
Filter/Exclusion: Exclude processes with ccleaner.exe, cleanmgr.exe, or similar known cleanup tools using the process.name field.
Scenario: Regular use of PowerShell for system monitoring
Description: System administrators use PowerShell scripts to monitor system logs or performance, which may include commands resembling malicious IOCs.
Filter/Exclusion: Exclude PowerShell scripts executed by known admin accounts or from trusted locations using the process.user and process.directory fields.
Scenario: Use of legitimate remote management tools
Description: Tools like PsExec or Remote Desktop Services are used to manage remote systems, which may trigger IOC matches due to similar command-line patterns.
Filter/Exclusion: Exclude processes with psexec.exe or mstsc.exe using the process.name field, or filter by process.parent to identify legitimate remote management activity.
Scenario: Automated log rotation or archiving
Description: A log management tool like Logrotate or Splunk performs routine log archiving, which may include file operations matching IOC patterns.
Filter/Exclusion: Exclude processes related to log management tools using the process.name field, or filter by file.path to identify known log rotation directories.