The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators linked to malware that may evade traditional detection methods. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise critical assets.
IOC Summary
Malware Family: Unknown malware Total IOCs: 90 IOC Types: ip:port, url, domain, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 54[.]187[.]35[.]128:7443 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 46[.]224[.]144[.]82:7443 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 45[.]90[.]120[.]36:7443 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 192[.]169[.]7[.]17:27443 | botnet_cc | 2026-05-22 | 75% |
| url | hxxps://candipoker.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v10 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v10 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v12 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v11 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v10 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v9 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v8 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v7 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v5 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://candipoker.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t10 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t11 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t12 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t10 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t8 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t7 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t5 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t12 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t11 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t8 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t7 | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t5 | payload_delivery | 2026-05-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["51.81.101.212", "45.90.120.36", "216.126.225.129", "192.169.7.17", "46.224.144.82", "206.188.196.227", "54.187.35.128", "46.224.70.245", "143.14.9.56", "43.173.100.69", "34.61.52.162", "157.230.125.65", "145.223.69.152"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["51.81.101.212", "45.90.120.36", "216.126.225.129", "192.169.7.17", "46.224.144.82", "206.188.196.227", "54.187.35.128", "46.224.70.245", "143.14.9.56", "43.173.100.69", "34.61.52.162", "157.230.125.65", "145.223.69.152"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["live05ms.us", "msonlive.us", "editorfxmedia.com", "techevent.us", "teams.live05ms.us", "teams.msonlive.us", "teams.onlivecall.com", "razor2025.strangled.net", "meedeal.com", "yujinp.xyz", "teams.livesweb.us", "konizia.com", "hahletsgoagain.beer", "adzeta.monster", "travel-js-ns.beer"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://candipoker.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v10", "https://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v10", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v12", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v11", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v10", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v9", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v8", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v7", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v5", "https://candipoker.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t10", "https://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t11", "https://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t12", "https://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t10", "https://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t8", "https://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t7", "https://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t5", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t12", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t11", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t8", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t7", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t5", "https://linkedco.net/infos.php?fronts=1", "https://www.creassociates.us/", "http://43.173.100.69:8888/supershell/login/", "https://microsmeet.xyz/api/mn/6676097740/update", "https://maik-freudenberg.de/", "https://biletors.cfd/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["0759904c16ff6d1f25be53e218f7bb13668a13cf5bd328375bb37941c2c94ab2", "d95bb7afd88d684dd99bb0c462fd7e0f81596baa2a2749263c7be4f09b4177ec", "0ae0517a518f277c67ae6959e8fb1e75a67ce3c2d1a86af084326f9a6c3c2839", "d72e75830ccb3a1bb80026081be1b775b3c2b18f91034277a27957a3a4e51632", "f630d779290a050dbc415863be303b8bb78dbe0bf4ff1ebae5fcbfddeace95b2", "4e71f0e1b1862492562f7ffada5c1d98e4d9c83cf63cd99636fb7f932d4cb4a7", "475a074242f7c58f55fdaa7c2773b1aaf448ce826a8fc98ee76f0dc88eba72b2", "d430141b6573335f2eaba7c9dad1729e182432f128c4311a962f77c12d48a82c", "2c14abd6082ec4929d7f375f7c264741355e4b28a402c7cf89caac37627e2739", "bf1c796dbb2b7d6d3b6820fccd6a5bcd127c0296754680f3f7d067bcca56b1b4", "d6aea182e02b91f804b3b80b9e4a754d818c25b5540bfc2f67117d15755dee00", "3abe2587ac04cc71fae274401e13cbc6aaa937e4cd76a2c910c2e906bf35988e", "a96edc7a4d5f768974db6100febf6fc7b3628faca3a277e12b3c055ea2707fe6", "b6c95e309ebef7dc253970dec65289cf207ff713594ae33381642f6ac1db27e4", "8a274a2de294dfbc889c5fb4475a1fed986a72eeb75e0f74356bd4f686b69a76", "ef36aa66e953dfe4a92e1fca37d4a49b481a10f257ea8436b93e3a5738416493", "756935b429ab86b428037aaf8d2b4adbb16316472c413730869c1a00a9b0d834", "e1c662e5b751306a036fb5de530ca06220ecc6fd2bae8edde3502cbd69222696", "2f88f94208b77bb61382494f0c3258e17b28302f7adbe5e3137adadd1504e616", "8351db34b7d7f09b7bb38ca3f520f34f48d4cf319ae4629e07a352520e604b78", "dc042f848b0cc33903c831e90aae8cdcc0fdaa30c3036e08397ae9df86af7ef8", "0fc7aba0497bf6b84fe63cf433f17341fc3629fd76c192108dabfd5b54008b6d", "5f4471ee42781ef21b69139e0f68af0954c149a3f1e2bf68daf838b025bb3d16", "55802196927754c446ae6bb3596f922b312ab19af8db8270a175c7dcfd286325", "b735ba784645811d1a8f965f7094c68465c8bbead033a5f9ef612f1bcfe9d454", "c54237095cc681cec78f8291055ee2c5c1260d6aedf781fd6e31116ae0a077ef", "f1be89b6f429456d5c653007e7c2d1c7805c86891f0bf2faec71d96904f0e973", "da6d18fa9aef1ec337bca6e15675ce0db764c8d67345e8eed55c6c8ddfcf9967", "98a78797b8a8db6976d8510dc697babfd35892ec6c37aaf5d2b385495aa8d84f", "e70e2ca57d3ac6941b419b621cf144d4c3de70dcbaf09446bd3b7d2ead69399f", "9985205911ef112161c34c2fd949e5351375f27ee1dce33eaca6e03ef7968537", "9860b2cdf23fc044bf7c6715197068b3cf6349f7ffb5e95dfd0229f212c40e63", "c21ad347e05405bc23f7efc6022f03951fab7461e7d52661d579a9c651cbf0d2", "23e04d32fec762b39dfadc746ee73f22ca83580f30aa8c69fec24afe79f87320"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate software update process
Description: A scheduled job runs to pull updates for a known enterprise application (e.g., Microsoft Windows Update, Adobe Acrobat Reader) which may include benign IOCs.
Filter/Exclusion: Exclude IOCs related to known update servers (e.g., update.microsoft.com, adobe.com) or use a filter for process.name containing “update” or “patch”.
Scenario: System backup and restore operations
Description: A backup tool (e.g., Veeam, Acronis) or system restore process may generate IOCs that match the unknown malware list, such as network transfers or file access patterns.
Filter/Exclusion: Exclude IOCs involving backup directories (e.g., /backup, /vmbackups) or use a filter for process.name containing “backup” or “restore”.
Scenario: Admin task for log collection and analysis
Description: An admin task (e.g., using Splunk, ELK Stack, or Graylog) may involve IOCs like file access to log directories or network connections to log aggregation servers.
Filter/Exclusion: Exclude IOCs related to log management tools (e.g., splunk.com, graylog.org) or filter by process.name containing “log” or “collector”.
Scenario: Scheduled job for malware scanning
Description: A scheduled job (e.g., using Windows Defender, CrowdStrike, or CrowdStrike Falcon) may generate IOCs during a full system scan, such as temporary file creation or network communication with the endpoint protection server.
Filter/Exclusion: Exclude IOCs related to endpoint protection tools (e.g., falcon.crowdstrike.com, microsoft.com) or use a filter for process.name containing “antivirus” or “scanner”.