The ThreatFox: XTinyLoader IOCs rule detects potential adversary activity involving the XTinyLoader malware, which is associated with initial access and command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: XTinyLoader Total IOCs: 2 IOC Types: sha256_hash, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | 3cea9df086d111a71c24822aa626380105347dd6d458ae7971557684bf12e097 | payload | 2026-06-09 | 100% |
| url | hxxp://196[.]251[.]107[.]104/geter/index.php | botnet_cc | 2026-06-09 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - XTinyLoader
let malicious_urls = dynamic(["http://196.251.107.104/geter/index.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - XTinyLoader
let malicious_hashes = dynamic(["3cea9df086d111a71c24822aa626380105347dd6d458ae7971557684bf12e097"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using Windows Update or WSUS
Filter/Exclusion: Exclude files signed by Microsoft or with file paths containing WindowsUpdate or WSUS
Scenario: Legitimate use of PowerShell for administrative tasks such as user management or group policy configuration
Filter/Exclusion: Exclude PowerShell scripts with execution paths containing powershell.exe and command lines involving Add-User, Set-GP, or New-LocalUser
Scenario: Scheduled job for log rotation or backup using Logrotate or Veeam
Filter/Exclusion: Exclude processes with command lines containing logrotate, veeam, or file paths in /var/log/ or backup directories
Scenario: Use of Windows Task Scheduler to run maintenance scripts or system cleanup tasks
Filter/Exclusion: Exclude tasks with names or paths containing TaskScheduler, Cleanup, or Maintenance and associated with built-in Windows services
Scenario: Deployment of Ansible or Chef for configuration management and system provisioning
Filter/Exclusion: Exclude files or processes with paths containing ansible-playbook, chef-solo, or roles/ directories used in standard DevOps workflows