The ThreatFox: Stealc IOCs rule detects potential adversary activity associated with the Stealc malware, which is known for stealing credentials and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Stealc for lateral movement and data compromise.
IOC Summary
Malware Family: Stealc Total IOCs: 15 IOC Types: md5_hash, sha1_hash, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | defc99dbb6a36ddb8fa8d3ce218db4747feb980a | payload | 2026-06-23 | 95% |
| md5_hash | 79187195d75a83469f94d84887157251 | payload | 2026-06-23 | 95% |
| sha1_hash | b918bf19df52464f084f35cc915fa8490e49a7c0 | payload | 2026-06-23 | 95% |
| md5_hash | 87c61136236dbb9ab635e379d866fe49 | payload | 2026-06-23 | 95% |
| sha256_hash | 1188d1f47cfc3797e1eb004e531b11b7a191a21475d97226dfa607db380b650b | payload | 2026-06-23 | 95% |
| sha1_hash | dead5907bef0ca8370293edfef487550437393d1 | payload | 2026-06-23 | 95% |
| md5_hash | d2b4cb1d964d01bce7246acb289f2a23 | payload | 2026-06-23 | 95% |
| sha256_hash | 33166e17fdb736cdfbe304002b081db17069618d5110e30b3a01d9086d5e1273 | payload | 2026-06-23 | 95% |
| md5_hash | 820e7ddb14f8b3de26b54c56d8b67749 | payload | 2026-06-23 | 95% |
| sha256_hash | 69e82da57188417c62f945e4d4747954ee3e75edfc82e7da9c28f67cef18430a | payload | 2026-06-23 | 95% |
| md5_hash | ab0553ff56ec4cd19d58b115c03513e6 | payload | 2026-06-23 | 95% |
| sha256_hash | dad8e703aa0e0077992d417f2825b9fd7b3c54058f76212547ffb0da2e072e02 | payload | 2026-06-23 | 95% |
| sha1_hash | fa3a516af1aa89399bd9702af25ac3a4d3169402 | payload | 2026-06-23 | 95% |
| sha256_hash | f56297a4158c79b49c9079ba634ea9595461717fb0955affe308ea05633ec9f1 | payload | 2026-06-23 | 95% |
| sha1_hash | 6536a0cdc1e3147904ca91d17411bc5d11febba2 | payload | 2026-06-23 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Stealc
let malicious_hashes = dynamic(["defc99dbb6a36ddb8fa8d3ce218db4747feb980a", "79187195d75a83469f94d84887157251", "b918bf19df52464f084f35cc915fa8490e49a7c0", "87c61136236dbb9ab635e379d866fe49", "1188d1f47cfc3797e1eb004e531b11b7a191a21475d97226dfa607db380b650b", "dead5907bef0ca8370293edfef487550437393d1", "d2b4cb1d964d01bce7246acb289f2a23", "33166e17fdb736cdfbe304002b081db17069618d5110e30b3a01d9086d5e1273", "820e7ddb14f8b3de26b54c56d8b67749", "69e82da57188417c62f945e4d4747954ee3e75edfc82e7da9c28f67cef18430a", "ab0553ff56ec4cd19d58b115c03513e6", "dad8e703aa0e0077992d417f2825b9fd7b3c54058f76212547ffb0da2e072e02", "fa3a516af1aa89399bd9702af25ac3a4d3169402", "f56297a4158c79b49c9079ba634ea9595461717fb0955affe308ea05633ec9f1", "6536a0cdc1e3147904ca91d17411bc5d11febba2"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that imports a CSV file containing user credentials for reporting purposes.
Filter/Exclusion: Exclude PowerShell scripts that use Import-Csv or Get-Content with file paths in known internal directories (e.g., C:\Windows\System32\, C:\ProgramData\).
Scenario: A security tool like OSSEC is configured to monitor log files and generates alerts when it detects unusual activity, such as a large number of failed login attempts.
Filter/Exclusion: Exclude events from the OSSEC agent or any process with the executable path containing ossec or ossec-log.
Scenario: A DevOps team is using Ansible to automate the deployment of configuration files to multiple servers, which may involve copying files with names similar to known IOCs.
Filter/Exclusion: Exclude processes initiated by Ansible (ansible-playbook) or any process with the command line containing ansible or copy with known internal file paths.
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to export a large dataset to a CSV file for archival purposes, which may include fields that resemble IOC patterns.
Filter/Exclusion: Exclude processes initiated by sqlcmd or ssms.exe and filter out file paths related to SQL Server data directories (e.g., C:\Program Files\Microsoft SQL Server\).
Scenario: A system is running a Windows Task Scheduler job that executes a legitimate script to generate reports, which may include temporary files or output that matches IOC patterns.
Filter/Exclusion: Exclude tasks with names containing “reporting” or “backup” and filter out file paths in the C:\Windows\Temp\ or C:\Users\Public\