The ThreatFox: XWorm IOCs rule detects potential multi-stage malware activity indicative of XWorm, which is used for persistence, data exfiltration, and lateral movement within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that leverage compromised credentials or supply chain compromises.
IOC Summary
Malware Family: XWorm Total IOCs: 7 IOC Types: url, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://94[.]159[.]113[.]64/a.jpg | payload_delivery | 2026-05-27 | 90% |
| url | hxxp://94[.]159[.]113[.]64/b.jpg | payload_delivery | 2026-05-27 | 90% |
| sha256_hash | 37b0e82941af3a9c12e09991411d1b037b9dc516c99a447f1929039f6648d34f | payload | 2026-05-27 | 90% |
| sha256_hash | eb185ca03b1309eb280e66a53545ef8e899c90ebdbd7897c05c11fa9ae3d7dd2 | payload | 2026-05-27 | 90% |
| sha256_hash | 3142ab1bd28b53bb14e4b5edd918c734a2bcdceee81e76b44444d548a93abcb6 | payload | 2026-05-27 | 90% |
| sha256_hash | 12a7502e951fa4922df01a8d69f6dd4a19bbcfa0c0b421ce92888ced54611e3f | payload | 2026-05-27 | 90% |
| sha256_hash | 074e4567fbe1d97669b64d9fec23678ebbd27633812b37ae3b64271aa2546ba2 | payload | 2026-05-27 | 90% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - XWorm
let malicious_urls = dynamic(["http://94.159.113.64/a.jpg", "http://94.159.113.64/b.jpg"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - XWorm
let malicious_hashes = dynamic(["37b0e82941af3a9c12e09991411d1b037b9dc516c99a447f1929039f6648d34f", "eb185ca03b1309eb280e66a53545ef8e899c90ebdbd7897c05c11fa9ae3d7dd2", "3142ab1bd28b53bb14e4b5edd918c734a2bcdceee81e76b44444d548a93abcb6", "12a7502e951fa4922df01a8d69f6dd4a19bbcfa0c0b421ce92888ced54611e3f", "074e4567fbe1d97669b64d9fec23678ebbd27633812b37ae3b64271aa2546ba2"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job execution
Description: A legitimate scheduled job (e.g., schtasks.exe or Task Scheduler) is executing a script or command that matches the IOC pattern due to similar command-line arguments or file names.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or Task Scheduler with known legitimate command-line arguments or file paths (e.g., C:\Windows\System32\svchost.exe or C:\Windows\System32\cmd.exe with specific arguments).
Scenario: Admin PowerShell script execution
Description: A system administrator is running a PowerShell script (e.g., PowerShell.exe) to perform routine system maintenance, configuration, or patching tasks, which may include command-line arguments that resemble XWorm IOCs.
Filter/Exclusion: Exclude processes launched by PowerShell.exe with a known legitimate script path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe with script paths in C:\Windows\System32\ or C:\Program Files\).
Scenario: Software update or patching activity
Description: A legitimate software update or patching process (e.g., msiexec.exe, setup.exe, or Windows Update) may trigger the rule due to similar file names or command-line arguments.
Filter/Exclusion: Exclude processes initiated by msiexec.exe, setup.exe, or wuauclt.exe with known update or patching command-line arguments (e.g., /quiet, /passive, or /norestart).
Scenario: Network discovery or inventory scan
Description: A network discovery tool (e.g., nmap.exe, tcpdump.exe, or Wireshark) is