The ThreatFox: StrelaStealer IOCs rule detects potential command and control activity associated with the StrelaStealer malware, which is known for exfiltrating sensitive data from compromised systems. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage attacks before significant data loss occurs.
IOC Summary
Malware Family: StrelaStealer Total IOCs: 66 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | hukap.com.tr | payload_delivery | 2026-04-21 | 100% |
| domain | hintech.hr | payload_delivery | 2026-04-21 | 100% |
| domain | hillvarta.com | payload_delivery | 2026-04-21 | 100% |
| domain | hien.fillerbotoxvn.com.vn | payload_delivery | 2026-04-21 | 100% |
| domain | haydaycafes.com | payload_delivery | 2026-04-21 | 100% |
| domain | harsheelpanchasara.com | payload_delivery | 2026-04-21 | 100% |
| domain | handyman.lu | payload_delivery | 2026-04-21 | 100% |
| domain | hajighani-sons.com | payload_delivery | 2026-04-21 | 100% |
| domain | haar-transplantation.ch | payload_delivery | 2026-04-21 | 100% |
| domain | gruporojaspanel.com | payload_delivery | 2026-04-21 | 100% |
| domain | grupolabplusvida.com.br | payload_delivery | 2026-04-21 | 100% |
| domain | graveerhuistwente.nl | payload_delivery | 2026-04-21 | 100% |
| domain | glamouraffair.com | payload_delivery | 2026-04-21 | 100% |
| domain | ghosnplants.com | payload_delivery | 2026-04-21 | 100% |
| domain | gajo.biz.pl | payload_delivery | 2026-04-21 | 100% |
| domain | ggluxresale.com | payload_delivery | 2026-04-21 | 100% |
| domain | gelagatsumsel.net | payload_delivery | 2026-04-21 | 100% |
| domain | futurefinserv.co.in | payload_delivery | 2026-04-21 | 100% |
| domain | fulcovietnam.com | payload_delivery | 2026-04-21 | 100% |
| domain | fryo.net | payload_delivery | 2026-04-21 | 100% |
| domain | forexbangla.com | payload_delivery | 2026-04-21 | 100% |
| domain | fitostore.az | payload_delivery | 2026-04-21 | 100% |
| domain | first-ex.com.bo | payload_delivery | 2026-04-21 | 100% |
| domain | finitial.eu | payload_delivery | 2026-04-21 | 100% |
| domain | filtersystemstechnology.com | payload_delivery | 2026-04-21 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - StrelaStealer
let malicious_domains = dynamic(["hukap.com.tr", "hintech.hr", "hillvarta.com", "hien.fillerbotoxvn.com.vn", "haydaycafes.com", "harsheelpanchasara.com", "handyman.lu", "hajighani-sons.com", "haar-transplantation.ch", "gruporojaspanel.com", "grupolabplusvida.com.br", "graveerhuistwente.nl", "glamouraffair.com", "ghosnplants.com", "gajo.biz.pl", "ggluxresale.com", "gelagatsumsel.net", "futurefinserv.co.in", "fulcovietnam.com", "fryo.net", "forexbangla.com", "fitostore.az", "first-ex.com.bo", "finitial.eu", "filtersystemstechnology.com", "featt.fr", "fastenhub.com", "ezc.adventist.org", "escolateologicavpjc.com.br", "experience.lacs-gorges-verdon.fr", "eventsbox.au", "eventhqhouston.com", "escolainfantilbubela.com", "enlacegonzaloyelena.atono.es", "energiasziget.hu", "endarasl.com", "elth.ucv.ro", "elrinconchile.cl", "electronlibre-so.fr", "electricidadcuadra.com", "elearn.univ-oran1.dz", "elearn.routesoftskills.com", "el-wazeer.com", "detikpublik.com", "detikaceh.com", "designmenu.mlcsandbox.com", "design-eight-shelter.com", "desarrollo.britishschoolmalaga.com", "desarrollo.britishschoolalmeria.com", "denvergaragedoor.repair"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe to run a script
Description: A scheduled task is configured to run a benign script that matches an IOC in the StrelaStealer list (e.g., a script named stealer.ps1 used for system monitoring).
Filter/Exclusion: process.parent_process_name == "schtasks.exe" and process.file_name == "powershell.exe" with a known benign script path.
Scenario: Admin using certutil.exe to download a trusted certificate
Description: An administrator is using certutil.exe to download a trusted certificate from a public repository, which coincidentally matches an IOC in the StrelaStealer list.
Filter/Exclusion: process.file_name == "certutil.exe" and process.command_line contains "https://trusted-certs.org" or similar known safe URLs.
Scenario: System update using msiexec.exe with a legitimate package
Description: A system update is being deployed via msiexec.exe that includes a file name matching an IOC associated with StrelaStealer.
Filter/Exclusion: process.file_name == "msiexec.exe" and process.command_line contains "path_to_known_update.msi" or a known update source.
Scenario: Log collection using logparser.exe with a legitimate log file
Description: A log collection tool like logparser.exe is accessing a log file that contains a string matching an IOC from the StrelaStealer list.
Filter/Exclusion: process.file_name == "logparser.exe" and process.command_line includes a known log file path or a specific log parser rule.
Scenario: Backup process using robocopy.exe with a legitimate backup script