The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may indicate the presence of previously unseen malware in the environment. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 17 IOC Types: url, sha256_hash, domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://littlewonderseeds.com/ | payload_delivery | 2026-05-20 | 90% |
| url | hxxps://91[.]92[.]240[.]197/download3/payload-reflective-installer-frank | botnet_cc | 2026-05-20 | 100% |
| domain | smackit.lat | payload_delivery | 2026-05-20 | 100% |
| ip:port | 91[.]92[.]243[.]189:443 | payload_delivery | 2026-05-20 | 75% |
| ip:port | 158[.]94[.]209[.]227:443 | payload_delivery | 2026-05-20 | 75% |
| ip:port | 178[.]16[.]55[.]153:443 | payload_delivery | 2026-05-20 | 75% |
| url | hxxp://178[.]16[.]55[.]153/JeffreyEpstein.zip | payload_delivery | 2026-05-20 | 75% |
| sha256_hash | 995d9f4dc5725d1301d7e4ac9943ac36dd8da13368381950880818c72f2bba61 | payload | 2026-05-20 | 75% |
| url | hxxps://bumblebeejaspercentre.org/ | payload_delivery | 2026-05-20 | 90% |
| ip:port | 170[.]130[.]165[.]57:443 | payload_delivery | 2026-05-20 | 90% |
| ip:port | 162[.]243[.]109[.]183:443 | payload_delivery | 2026-05-20 | 90% |
| domain | linkedby.org | payload_delivery | 2026-05-20 | 90% |
| domain | namlongland.net | payload_delivery | 2026-05-20 | 90% |
| domain | finger.linkedby.org | payload_delivery | 2026-05-20 | 90% |
| url | hxxp://linkedby.org/infos.php?fronts=1 | payload_delivery | 2026-05-20 | 90% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t10 | payload_delivery | 2026-05-20 | 90% |
| url | hxxps://mjwildlife.ca/ | payload_delivery | 2026-05-20 | 90% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["170.130.165.57", "162.243.109.183", "91.92.243.189", "158.94.209.227", "178.16.55.153"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["170.130.165.57", "162.243.109.183", "91.92.243.189", "158.94.209.227", "178.16.55.153"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["smackit.lat", "linkedby.org", "namlongland.net", "finger.linkedby.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://littlewonderseeds.com/", "https://91.92.240.197/download3/payload-reflective-installer-frank", "http://178.16.55.153/JeffreyEpstein.zip", "https://bumblebeejaspercentre.org/", "http://linkedby.org/infos.php?fronts=1", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t10", "https://mjwildlife.ca/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["995d9f4dc5725d1301d7e4ac9943ac36dd8da13368381950880818c72f2bba61"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known Microsoft server.
Filter/Exclusion: Exclude any IOCs that match known Microsoft update servers (e.g., download.microsoft.com, windowsupdate.microsoft.com).
Scenario: A DevOps engineer is using Ansible to deploy a configuration management script that includes a temporary file with a suspicious-looking name (e.g., config_update.sh).
Filter/Exclusion: Exclude files with names matching common DevOps tooling patterns or files in known deployment directories (e.g., /etc/ansible/, /tmp/).
Scenario: A database administrator is using SQL Server Agent to run a job that connects to a remote SQL server using a tool like sqlcmd.
Filter/Exclusion: Exclude connections to known internal SQL servers or IP ranges used by the organization’s database infrastructure.
Scenario: A security analyst is using Wireshark to capture and analyze network traffic for a penetration test, which includes traffic to a known malicious IP address used in a controlled environment.
Filter/Exclusion: Exclude traffic originating from or destined to known internal test environments or IP ranges used for red teaming.
Scenario: A system administrator is using LogParser to analyze IIS logs and temporarily saves the output to a file with a suspicious name (e.g., log_analysis.txt).
Filter/Exclusion: Exclude files created by known log analysis tools or files located in log directories (e.g., /var/log/, /inetpub/logs/).