The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may be associated with advanced persistent threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate unknown malware threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 34 IOC Types: domain, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://114[.]132[.]190[.]121:8888/supershell/login/ | botnet_cc | 2026-05-06 | 100% |
| url | hxxps://truitpix9871.world/ext.f66368c3907c.js | payload_delivery | 2026-05-06 | 100% |
| url | hxxps://truitpix9871.world/ext-b[.]1c60f323a607.js | payload_delivery | 2026-05-06 | 100% |
| url | hxxps://truitpix9871.world/t[.]188cfd3975db.js | payload_delivery | 2026-05-06 | 100% |
| url | hxxps://truitpix9871.world/t.js | payload_delivery | 2026-05-06 | 100% |
| domain | truitpix9871.world | payload_delivery | 2026-05-06 | 100% |
| url | hxxps://www.bursanehirteknik.com/ | payload_delivery | 2026-05-06 | 90% |
| url | hxxps://www.refinishfirst.net/ | payload_delivery | 2026-05-06 | 90% |
| url | hxxps://caliphlebotomy.com/ | payload_delivery | 2026-05-06 | 90% |
| ip:port | 151[.]236[.]4[.]149:80 | payload_delivery | 2026-05-06 | 75% |
| domain | msnvm.us.com | payload_delivery | 2026-05-06 | 75% |
| url | hxxps://www.gavpn.com/ | payload_delivery | 2026-05-06 | 90% |
| url | hxxp://202[.]61[.]137[.]210:8888/supershell/login/ | botnet_cc | 2026-05-06 | 100% |
| ip:port | 202[.]61[.]137[.]210:8888 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 114[.]132[.]190[.]121:8888 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 145[.]241[.]198[.]20:80 | botnet_cc | 2026-05-06 | 75% |
| ip:port | 109[.]123[.]239[.]180:12345 | botnet_cc | 2026-05-06 | 75% |
| ip:port | 104[.]249[.]10[.]115:80 | botnet_cc | 2026-05-06 | 75% |
| ip:port | 204[.]10[.]194[.]247:8765 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 204[.]10[.]194[.]247:9877 | botnet_cc | 2026-05-06 | 100% |
| url | hxxps://redsbuilding.com.au/ | payload_delivery | 2026-05-06 | 90% |
| ip:port | 179[.]43[.]140[.]114:8888 | botnet_cc | 2026-05-06 | 75% |
| ip:port | 155[.]2[.]192[.]215:8888 | botnet_cc | 2026-05-06 | 75% |
| ip:port | 96[.]9[.]124[.]111:8888 | botnet_cc | 2026-05-06 | 75% |
| ip:port | 45[.]156[.]87[.]8:8888 | botnet_cc | 2026-05-06 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["145.241.198.20", "54.39.30.233", "45.156.87.8", "96.9.124.111", "158.94.209.188", "178.16.52.152", "45.87.249.150", "204.10.194.247", "114.132.190.121", "109.123.239.180", "139.60.162.100", "178.16.55.242", "155.2.192.215", "158.94.211.237", "202.61.137.210", "158.94.208.34", "179.43.140.114", "104.249.10.115", "151.236.4.149"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["145.241.198.20", "54.39.30.233", "45.156.87.8", "96.9.124.111", "158.94.209.188", "178.16.52.152", "45.87.249.150", "204.10.194.247", "114.132.190.121", "109.123.239.180", "139.60.162.100", "178.16.55.242", "155.2.192.215", "158.94.211.237", "202.61.137.210", "158.94.208.34", "179.43.140.114", "104.249.10.115", "151.236.4.149"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["truitpix9871.world", "msnvm.us.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["http://114.132.190.121:8888/supershell/login/", "https://truitpix9871.world/ext.f66368c3907c.js", "https://truitpix9871.world/ext-b.1c60f323a607.js", "https://truitpix9871.world/t.188cfd3975db.js", "https://truitpix9871.world/t.js", "https://www.bursanehirteknik.com/", "https://www.refinishfirst.net/", "https://caliphlebotomy.com/", "https://www.gavpn.com/", "http://202.61.137.210:8888/supershell/login/", "https://redsbuilding.com.au/", "https://goatcouture.org/wordpress/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using msiexec.exe to install Windows updates
Filter/Exclusion: process.name = msiexec.exe and process.args contains " /quiet" or " /passive"
Scenario: Scheduled job running task scheduler to execute a legitimate maintenance script
Filter/Exclusion: process.name = taskhost.exe and process.parent.name = task scheduler
Scenario: Admin using PowerShell to run a script for log rotation or backup
Filter/Exclusion: process.name = powershell.exe and process.args contains " -Command" or " -File" with known backup script paths
Scenario: Database backup using sqlcmd.exe or mysqldump
Filter/Exclusion: process.name = sqlcmd.exe or mysqldump and process.args contains " -b" or " --backup"
Scenario: IT admin using rsync or scp for file synchronization between servers
Filter/Exclusion: process.name = rsync or scp and process.args contains " --exclude" or " --backup" or " --delete"