The ThreatFox: StrelaStealer IOCs rule detects potential command and control activity associated with the StrelaStealer malware, which is known for exfiltrating sensitive data. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before significant data loss occurs.
IOC Summary
Malware Family: StrelaStealer Total IOCs: 4 IOC Types: md5_hash, domain, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | be34707cb56d7b41393d14c67b4ad8626c4519d7 | payload | 2026-06-11 | 95% |
| md5_hash | 39a19118f2d38bfdb9421f69a84e5dec | payload | 2026-06-11 | 95% |
| sha256_hash | 8a82da328a3db0fca63f31e7b464b5989cecfd619ebab0b238c07b63544bf823 | payload | 2026-06-11 | 95% |
| domain | msp.shoptopexpress.com | payload_delivery | 2026-06-11 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - StrelaStealer
let malicious_domains = dynamic(["msp.shoptopexpress.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - StrelaStealer
let malicious_hashes = dynamic(["be34707cb56d7b41393d14c67b4ad8626c4519d7", "39a19118f2d38bfdb9421f69a84e5dec", "8a82da328a3db0fca63f31e7b464b5989cecfd619ebab0b238c07b63544bf823"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job running StrelaStealer-like command for system monitoring
Filter/Exclusion: Exclude processes with cmdline containing "system monitor" or "perfmon" and associated with known monitoring tools like PerfMon or Task Scheduler jobs.
Scenario: Admin using PowerShell to run a script that matches StrelaStealer IOC patterns
Filter/Exclusion: Exclude processes with user field equal to "Administrator" and process_name equal to "powershell.exe" with cmdline containing "script.ps1" or "powershell.exe -Command".
Scenario: Legitimate use of wget or curl to download a file from a known internal repository
Filter/Exclusion: Exclude processes with process_name equal to "wget" or "curl" and destination matching internal IP ranges or known internal repositories like "internal-repo.example.com".
Scenario: Use of certutil to install a trusted certificate for internal CA
Filter/Exclusion: Exclude processes with process_name equal to "certutil.exe" and cmdline containing " -addstore -user trustedroot" or " -addstore -user root".
Scenario: Legitimate use of msiexec to install a trusted internal application
Filter/Exclusion: Exclude processes with process_name equal to "msiexec.exe" and cmdline containing " /i "internal_app.msi" or " /qn" with the package name matching known internal software.