The ThreatFox: StrelaStealer IOCs rule detects potential command-and-control communication associated with the StrelaStealer malware, which is used to exfiltrate sensitive credentials and browser data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate credential theft incidents before data exfiltration occurs.
IOC Summary
Malware Family: StrelaStealer Total IOCs: 27 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | donghothuysi.info | payload_delivery | 2026-04-22 | 100% |
| domain | dashboard.kantsios.com | payload_delivery | 2026-04-22 | 100% |
| domain | noithatcth.com | payload_delivery | 2026-04-22 | 100% |
| domain | tongkhothuocthuy.tranngocsy.com | payload_delivery | 2026-04-22 | 100% |
| domain | qatest.webcase.me | payload_delivery | 2026-04-22 | 100% |
| domain | cherry-facturatie.nl | payload_delivery | 2026-04-22 | 100% |
| domain | members.endlish.com | payload_delivery | 2026-04-22 | 100% |
| domain | brisbane.holidaywebsites.com.au | payload_delivery | 2026-04-22 | 100% |
| domain | medmakine.com | payload_delivery | 2026-04-22 | 100% |
| domain | loja.grupoonc.com.br | payload_delivery | 2026-04-22 | 100% |
| domain | e2vimaging.focus-pluto.co.uk | payload_delivery | 2026-04-22 | 100% |
| domain | learningsahajayoga.org | payload_delivery | 2026-04-22 | 100% |
| domain | leahys.webiqx.com.br | payload_delivery | 2026-04-22 | 100% |
| domain | land.osharon.co.il | payload_delivery | 2026-04-22 | 100% |
| domain | kai1.kaiservers.com | payload_delivery | 2026-04-22 | 100% |
| domain | joziba.in | payload_delivery | 2026-04-22 | 100% |
| domain | newmorning24.com | payload_delivery | 2026-04-22 | 100% |
| domain | mtechs.com.vn | payload_delivery | 2026-04-22 | 100% |
| domain | platform.educationmastery.net | payload_delivery | 2026-04-22 | 100% |
| domain | platform.consciousnesskey.net | payload_delivery | 2026-04-22 | 100% |
| domain | phovid.in | payload_delivery | 2026-04-22 | 100% |
| domain | gtn.az | payload_delivery | 2026-04-22 | 100% |
| domain | demo2.hungdevwp.com | payload_delivery | 2026-04-22 | 100% |
| domain | ouroverdeagropecuaria.com.br | payload_delivery | 2026-04-22 | 100% |
| domain | cantamagaza.com | payload_delivery | 2026-04-22 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - StrelaStealer
let malicious_domains = dynamic(["donghothuysi.info", "dashboard.kantsios.com", "noithatcth.com", "tongkhothuocthuy.tranngocsy.com", "qatest.webcase.me", "cherry-facturatie.nl", "members.endlish.com", "brisbane.holidaywebsites.com.au", "medmakine.com", "loja.grupoonc.com.br", "e2vimaging.focus-pluto.co.uk", "learningsahajayoga.org", "leahys.webiqx.com.br", "land.osharon.co.il", "kai1.kaiservers.com", "joziba.in", "newmorning24.com", "mtechs.com.vn", "platform.educationmastery.net", "platform.consciousnesskey.net", "phovid.in", "gtn.az", "demo2.hungdevwp.com", "ouroverdeagropecuaria.com.br", "cantamagaza.com", "www.koemau.nl", "www.gymmanufacturer.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate domain used by a third-party service
Description: A domain used by a legitimate third-party service (e.g., api.example.com) is mistakenly flagged as a C2 domain for StrelaStealer.
Filter/Exclusion: Exclude domains that are known to be used by trusted third-party services (e.g., *.example.com, *.cloudfront.net).
Scenario: Scheduled job for system maintenance
Description: A scheduled task running a legitimate maintenance script (e.g., schtasks.exe or Task Scheduler) is using a domain that matches a known StrelaStealer C2 pattern.
Filter/Exclusion: Exclude domains associated with system maintenance tools or scheduled jobs (e.g., *.task_scheduler.microsoft.com, *.windowsupdate.microsoft.com).
Scenario: Admin using a legitimate remote access tool
Description: An administrator is using a legitimate remote access tool (e.g., LogMeIn, TeamViewer, or AnyDesk) which connects to a domain that matches a StrelaStealer IOC.
Filter/Exclusion: Exclude domains used by remote access tools (e.g., *.logmein.com, *.teamviewer.com, *.anydesk.com).
Scenario: Internal DNS resolution for internal services
Description: A domain used for internal DNS resolution (e.g., internal-dns.corp.local) is being queried by a legitimate internal application, triggering the rule.
Filter/Exclusion: Exclude internal domains (e.g., *.internal.corp, *.local, *.intra) or use a filter based on IP ranges or internal DNS servers.
Scenario: False positive from a legitimate security tool
Description: A security tool (e.g., CrowdStrike, `