The ThreatFox: StrelaStealer IOCs rule detects potential credential-stealing malware activity by identifying suspicious network communications associated with known malicious domains or IP addresses linked to StrelaStealer. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise and prevent data exfiltration.
IOC Summary
Malware Family: StrelaStealer Total IOCs: 52 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | techel.co.ke | payload_delivery | 2026-04-25 | 100% |
| domain | tasheelbd.com | payload_delivery | 2026-04-25 | 100% |
| domain | somandodestinos.com.br | payload_delivery | 2026-04-25 | 100% |
| domain | smarketing.pe | payload_delivery | 2026-04-25 | 100% |
| domain | sklep.wisen.pl | payload_delivery | 2026-04-25 | 100% |
| domain | small-devices.com | payload_delivery | 2026-04-25 | 100% |
| domain | signnscanpdf.com | payload_delivery | 2026-04-25 | 100% |
| domain | shaurarodgers.com | payload_delivery | 2026-04-25 | 100% |
| domain | servidomestico.es | payload_delivery | 2026-04-25 | 100% |
| domain | screenox.in | payload_delivery | 2026-04-25 | 100% |
| domain | satavina.vn | payload_delivery | 2026-04-25 | 100% |
| domain | saraj.ba | payload_delivery | 2026-04-25 | 100% |
| domain | sales.wilderness-explorers.com | payload_delivery | 2026-04-25 | 100% |
| domain | salamancacooperativa.es | payload_delivery | 2026-04-25 | 100% |
| domain | rvbconsult.com.br | payload_delivery | 2026-04-25 | 100% |
| domain | ru.bergstreisser.com | payload_delivery | 2026-04-25 | 100% |
| domain | rosemarie.zerosoft.in | payload_delivery | 2026-04-25 | 100% |
| domain | rightbrainiacs.com | payload_delivery | 2026-04-25 | 100% |
| domain | reklamniplochytabor.cz | payload_delivery | 2026-04-25 | 100% |
| domain | reforcelog.com.br | payload_delivery | 2026-04-25 | 100% |
| domain | raica.ind.br | payload_delivery | 2026-04-25 | 100% |
| domain | radiationoncologycare.com | payload_delivery | 2026-04-25 | 100% |
| domain | marketingcomdende.com.br | payload_delivery | 2026-04-25 | 100% |
| domain | letnaturehelp.co.uk | payload_delivery | 2026-04-25 | 100% |
| domain | kacmazbilisim.com | payload_delivery | 2026-04-25 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - StrelaStealer
let malicious_domains = dynamic(["techel.co.ke", "tasheelbd.com", "somandodestinos.com.br", "smarketing.pe", "sklep.wisen.pl", "small-devices.com", "signnscanpdf.com", "shaurarodgers.com", "servidomestico.es", "screenox.in", "satavina.vn", "saraj.ba", "sales.wilderness-explorers.com", "salamancacooperativa.es", "rvbconsult.com.br", "ru.bergstreisser.com", "rosemarie.zerosoft.in", "rightbrainiacs.com", "reklamniplochytabor.cz", "reforcelog.com.br", "raica.ind.br", "radiationoncologycare.com", "marketingcomdende.com.br", "letnaturehelp.co.uk", "kacmazbilisim.com", "leapindustries.co.in", "larrywilson.cyber-demo-client-website2.com", "laptoprefurbish.com", "koishi.rs", "klik7tv.co.id", "khalsacarbazar.com", "keliahealthcare.co.uk", "keeninfocomm.com", "kampoenghijau.com", "jovilodge.com", "juelsminde-tennisklub.dk", "jademountains.net", "italianmedtranslations.com", "iptvb1g.com", "info.usdatacorporation.com", "impactunified.com", "english-studies.net", "edyunay.com", "eau-services.org", "easysoundhealing.com", "duocphamhd.com", "duandep.vn", "downtownladentalcare.yoursmarthost.net", "dominguezyasociados.com", "beautylizz.com.br"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Execution
Description: A scheduled job using schtasks.exe or Task Scheduler runs a script that mimics StrelaStealer’s behavior, such as downloading a file or establishing a connection.
Filter/Exclusion: Check for ProcessName = schtasks.exe or CommandLine contains "schtasks.exe /create" and verify if the script is part of a known legitimate maintenance task.
Scenario: Admin Tool for Network Monitoring
Description: A network monitoring tool like Wireshark or tcpdump is used to capture and analyze network traffic, which may include connections similar to those seen in StrelaStealer C2.
Filter/Exclusion: Filter events where ProcessName = wireshark.exe or ProcessName = tcpdump and confirm the traffic is part of a legitimate network analysis activity.
Scenario: Software Update or Patch Deployment
Description: A patching tool like Microsoft Update or WSUS may temporarily establish outbound connections to download updates, which could be flagged as suspicious.
Filter/Exclusion: Check for ProcessName = wuauclt.exe or ProcessName = wuauserv and verify if the connection is related to a known update or patch deployment.
Scenario: Remote Administration Tool (RAT) Usage
Description: A legitimate remote administration tool like PsExec or Remote Desktop Services may be used to execute commands remotely, which could resemble StrelaStealer’s lateral movement.
Filter/Exclusion: Filter events where ProcessName = psexec.exe or ProcessName = mstsc.exe and validate that the activity is part of a sanctioned remote management process.
Scenario: Malicious Link in Phishing Email (False Positive)