The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving previously unidentified malicious indicators, which could signal the presence of novel or zero-day threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate emerging threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 52 IOC Types: domain, url, sha256_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | mikolirentryifosttry.info | botnet_cc | 2026-05-08 | 49% |
| url | hxxps://serverconect.cc/update/bin/loader.exe | botnet_cc | 2026-05-08 | 49% |
| domain | transcloud.cc | botnet_cc | 2026-05-08 | 49% |
| domain | jollymccalister.lol | botnet_cc | 2026-05-08 | 49% |
| domain | zkevopenanu.cfd | botnet_cc | 2026-05-08 | 49% |
| domain | rr3ueff.pw | botnet_cc | 2026-05-08 | 49% |
| domain | www.drivelivelime.com | botnet_cc | 2026-05-08 | 49% |
| url | hxxps://www.drivelivelime.com/x | botnet_cc | 2026-05-08 | 49% |
| url | hxxps://www.drivelivelime.com/p | botnet_cc | 2026-05-08 | 49% |
| domain | msiidentity.com | botnet_cc | 2026-05-08 | 49% |
| url | hxxps://msiidentity.com/pw | botnet_cc | 2026-05-08 | 49% |
| domain | trafficmanagerupdate.com | botnet_cc | 2026-05-08 | 49% |
| url | hxxp://trafficmanagerupdate.com/index.php | botnet_cc | 2026-05-08 | 49% |
| domain | update-kaspersky.workers.dev | botnet_cc | 2026-05-08 | 49% |
| domain | cyrex-cheats.net | payload_delivery | 2026-05-08 | 100% |
| ip:port | 94[.]26[.]90[.]190:5000 | botnet_cc | 2026-05-08 | 75% |
| domain | remotev2.whpayment.ru | botnet_cc | 2026-05-08 | 100% |
| url | hxxps://remotev2.whpayment.ru/ws/client | botnet_cc | 2026-05-08 | 100% |
| ip:port | 62[.]169[.]25[.]116:7443 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 45[.]79[.]163[.]107:7443 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 45[.]56[.]91[.]55:2005 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 209[.]38[.]110[.]161:7443 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 167[.]114[.]129[.]165:7443 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 108[.]61[.]193[.]141:7443 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 113[.]31[.]118[.]180:7443 | botnet_cc | 2026-05-08 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["167.114.129.165", "108.61.193.141", "45.56.91.55", "45.79.163.107", "45.128.36.194", "62.169.25.116", "113.31.118.180", "192.253.248.13", "143.20.185.98", "132.243.221.89", "94.26.90.190", "45.86.162.238", "209.38.110.161"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["167.114.129.165", "108.61.193.141", "45.56.91.55", "45.79.163.107", "45.128.36.194", "62.169.25.116", "113.31.118.180", "192.253.248.13", "143.20.185.98", "132.243.221.89", "94.26.90.190", "45.86.162.238", "209.38.110.161"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["mikolirentryifosttry.info", "transcloud.cc", "jollymccalister.lol", "zkevopenanu.cfd", "rr3ueff.pw", "www.drivelivelime.com", "msiidentity.com", "trafficmanagerupdate.com", "update-kaspersky.workers.dev", "cyrex-cheats.net", "remotev2.whpayment.ru", "order.mkdaddy.com", "artcnb.com", "re104.artcnb.com", "whpayment.ru", "ludex.cc", "chh1-ac0a3-default-rtdb.firebaseio.com", "whatsappcenter.com", "ch-ap-4-default-rtdb.firebaseio.com", "call-history-7cda4-default-rtdb.firebaseio.com", "call-history-ecc1e-default-rtdb.firebaseio.com", "ssjscrybootstrup.beer", "monter-steaming.digital"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://serverconect.cc/update/bin/loader.exe", "https://www.drivelivelime.com/x", "https://www.drivelivelime.com/p", "https://msiidentity.com/pw", "http://trafficmanagerupdate.com/index.php", "https://remotev2.whpayment.ru/ws/client", "https://re104.artcnb.com/down", "https://github.com/MoonlightPumpkin/API_SETTINGS", "https://monter-steaming.digital/script.sh"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["b95b53eff7f1dc4426ed60932910aeb66552083197048d31154f950eb32c65b8", "4aa3b4429eeaa8bf734dd6bb3527f8ee2454bd66f4649f7102ab179214d85dc4", "f93918bae376298c7db3e377796057fb35733b38c59edb4a69f771e17b48deef", "72feb64186e4d4335512e637753ef63ec266b0c339f992c9f2ce76639d9a8a4e", "7521203828dd16a0b4cc65f34c6ee5871f3200b43fa46917ece5f334e946885f"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that queries ThreatFox for known indicators of compromise (IOCs) as part of routine security hygiene.
Filter/Exclusion: Exclude PowerShell scripts that call Invoke-WebRequest with the URL https://threatfox-api.threatgrid.com/api/v1/indicators and are executed by the System or Administrator account.
Scenario: A Windows Task Scheduler job is configured to run a PowerShell script that periodically checks for new IOCs from ThreatFox as part of an automated security monitoring process.
Filter/Exclusion: Exclude tasks that are scheduled under the Task Scheduler service and have a command line containing threatfox-api.threatgrid.com and are associated with a known security tool or monitoring script.
Scenario: A SIEM or SOC analyst is using Splunk to query ThreatFox for IOCs related to a recent incident, and the query is triggering the rule due to the presence of known indicators in the dataset.
Filter/Exclusion: Exclude queries that originate from the Splunk search head and include the keyword threatfox-api.threatgrid.com in the search string, especially when used in the context of incident response or threat intelligence analysis.
Scenario: A Windows Admin Center or PowerShell DSC configuration is being used to deploy a Microsoft Defender ATP update that includes IOCs from ThreatFox as part of a patching process.
Filter/Exclusion: Exclude any activity related to Microsoft Defender ATP updates or PowerShell DSC configurations that reference threatfox-api.threatgrid.com and are initiated by the System or Local System account.
Scenario: A DevOps pipeline