ThreatFox: Unknown malware IOCs

Hunt Hypothesis

The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving previously unidentified malicious indicators, which may indicate the presence of advanced or novel threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate unknown malware that could evade traditional detection methods.

IOC Summary

Malware Family: Unknown malware Total IOCs: 51 IOC Types: ip:port, md5_hash, sha256_hash, url, domain

Type	Value	Threat Type	First Seen	Confidence
sha256_hash	79ede42f58b0f72e5953c4fc0cbd250012e045d99704ac0e2e1ebf554a5a2d6e	payload	2026-05-09	75%
sha256_hash	aeac25a227301aedd78e3cd3937b73986750041e3295f178d365ae61c8ac64d9	payload	2026-05-09	75%
sha256_hash	194cda2a1d2c7c2b151e27d20c0429c22108f39540e4036d3b5056bbbea16fff	payload	2026-05-09	75%
sha256_hash	4a5d9078e6d4485a6aa89e35ca83cd743e038d74eb826bde725c5b2737e41a8a	payload	2026-05-09	75%
sha256_hash	1bcd3b49399526a3fb42330d89b123bf11ed8f27118a93e4187a64ad15e0a2eb	payload	2026-05-09	75%
sha256_hash	07a1be5f57473bdde2084ad0d04f9419e674a789790652f7e8e3a8e696d49e08	payload	2026-05-09	75%
md5_hash	e43b38b314acef0d158e99884cd5710f	payload	2026-05-09	75%
sha256_hash	4a1dd2bf737357ff4c32df5b739cc5d8bb0003bcb35fbacc3174d36b2ef77cc0	payload	2026-05-09	75%
url	hxxps://d.tmpfile.link/public/2026-05-09/4614e117-d7bb-46b1-9541-484fbe7315ff/ghhjgr.png	payload_delivery	2026-05-09	75%
domain	d.tmpfile.link	payload_delivery	2026-05-09	75%
url	hxxp://gotextileltd.com/gotextileltd.zip	payload_delivery	2026-05-09	75%
domain	gotextileltd.com	payload_delivery	2026-05-09	75%
domain	jensydesign.com	payload_delivery	2026-05-09	75%
sha256_hash	5a2b957a011901a7e88b8f96028ff004cad590455a36c4816d0f40007323cd01	payload	2026-05-09	75%
sha256_hash	68e81ce966ca0c016bb638d0d29b106a0da7eab2ddf70438d8182fa89baf5d78	payload	2026-05-09	75%
sha256_hash	d4c620b8fc7aca439861ce67b6f9132b89c2869887ac3f6a1b3008099e43b976	payload	2026-05-09	75%
sha256_hash	f488edb3c0e3e81d7a1d1a4721dc9817a04f65f1939a645172ba8197b8358b41	payload	2026-05-09	75%
url	hxxps://crackedsoftware.doxbin.cy/windows	payload_delivery	2026-05-09	90%
domain	mpd.hidayahnetwork.com	payload_delivery	2026-05-09	90%
url	hxxps://steamcommunity.com/profiles/76561198707628078	payload_delivery	2026-05-09	90%
url	hxxps://telegram.me/hgo9tx	payload_delivery	2026-05-09	90%
sha256_hash	2872ea2e8dcde72e2d906895d62d646961111519ffacd5832dcd2234f7f087d1	payload	2026-05-09	90%
url	hxxps://servicehstcmon.com/4b1786e5eb1812f6b3b01ac77deca041/hsts_mont.exe	payload_delivery	2026-05-09	85%
url	hxxp://servicehstcmon.com/step2.txt	payload_delivery	2026-05-09	85%
url	hxxp://servicehstcmon.com/step1.txt	payload_delivery	2026-05-09	85%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["137.184.217.241", "45.9.148.81", "137.184.76.141"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["137.184.217.241", "45.9.148.81", "137.184.76.141"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["d.tmpfile.link", "gotextileltd.com", "jensydesign.com", "mpd.hidayahnetwork.com", "servicehstcmon.com", "zai.gr.com", "claudecode.li", "chewy.gr.com", "openrouter.gr.com", "lowes.gr.com", "cursor.li", "deepseek.gr.com", "iaca.gr.com", "lmstudio.co.com", "qwen.co.com", "monerogui.gr.com", "gui.gr.com", "en-mymonero.gr.com", "monero.gr.com", "en-cakewallet.gr.com", "minimax.gr.com", "stackwallet.co.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://d.tmpfile.link/public/2026-05-09/4614e117-d7bb-46b1-9541-484fbe7315ff/ghhjgr.png", "http://gotextileltd.com/gotextileltd.zip", "https://crackedsoftware.doxbin.cy/windows", "https://steamcommunity.com/profiles/76561198707628078", "https://telegram.me/hgo9tx", "https://servicehstcmon.com/4b1786e5eb1812f6b3b01ac77deca041/hsts_mont.exe", "http://servicehstcmon.com/step2.txt", "http://servicehstcmon.com/step1.txt", "https://anakondabob.club/", "https://chubrik.sbs/", "https://corppop.shop/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

KQL: Hash Hunt

// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["79ede42f58b0f72e5953c4fc0cbd250012e045d99704ac0e2e1ebf554a5a2d6e", "aeac25a227301aedd78e3cd3937b73986750041e3295f178d365ae61c8ac64d9", "194cda2a1d2c7c2b151e27d20c0429c22108f39540e4036d3b5056bbbea16fff", "4a5d9078e6d4485a6aa89e35ca83cd743e038d74eb826bde725c5b2737e41a8a", "1bcd3b49399526a3fb42330d89b123bf11ed8f27118a93e4187a64ad15e0a2eb", "07a1be5f57473bdde2084ad0d04f9419e674a789790652f7e8e3a8e696d49e08", "e43b38b314acef0d158e99884cd5710f", "4a1dd2bf737357ff4c32df5b739cc5d8bb0003bcb35fbacc3174d36b2ef77cc0", "5a2b957a011901a7e88b8f96028ff004cad590455a36c4816d0f40007323cd01", "68e81ce966ca0c016bb638d0d29b106a0da7eab2ddf70438d8182fa89baf5d78", "d4c620b8fc7aca439861ce67b6f9132b89c2869887ac3f6a1b3008099e43b976", "f488edb3c0e3e81d7a1d1a4721dc9817a04f65f1939a645172ba8197b8358b41", "2872ea2e8dcde72e2d906895d62d646961111519ffacd5832dcd2234f7f087d1", "46ebb08f2d47fa214d73507b34a5fec5", "f417187e20bddd4706df23cd04c5e100bf07bfc8014038e19e2f38a437956691"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
CommonSecurityLog	Ensure this data connector is enabled
DeviceFileEvents	Ensure this data connector is enabled
DeviceNetworkEvents	Ensure this data connector is enabled
DnsEvents	Ensure this data connector is enabled
UrlClickEvents	Ensure this data connector is enabled

References

• ThreatFox — Unknown malware

False Positive Guidance

• Scenario: Legitimate software update process
  Description: A system is downloading a legitimate software update from a known vendor, which coincidentally matches one of the IOCs in the ThreatFox list.
  Filter/Exclusion: process.name != "msiexec.exe" OR process.name != "setup.exe" OR process.name != "nsis.exe"

• Scenario: Scheduled system maintenance task
  Description: A scheduled task runs a script or tool that performs disk cleanup, log rotation, or system integrity check, which may involve IOCs like logrotate or cleanmgr.exe.
  Filter/Exclusion: process.name != "cleanmgr.exe" OR process.name != "logrotate" OR process.name != "task scheduler"

• Scenario: Admin using PowerShell for configuration management
  Description: An administrator is using PowerShell to configure system settings, which may involve IOCs such as PowerShell.exe or ps1 scripts that are benign but match the rule’s IOC list.
  Filter/Exclusion: process.name != "powershell.exe" OR process.user != "admin_user"

• Scenario: Database backup job execution
  Description: A database backup job is running, which may involve IOCs related to backup tools like sqlbackup.exe or mysqldump, which are legitimate but may trigger the rule.
  Filter/Exclusion: process.name != "sqlbackup.exe" OR process.name != "mysqldump" OR process.name != "backuptool.exe"

• Scenario: User running a legitimate security tool
  Description: A user is running a legitimate security tool like Malwarebytes, Bitdefender, or Kaspersky, which may have IOCs that match the ThreatFox list.
  Filter/Exclusion: `process.name != “mbam.exe”