← Back to SOC feed Coverage →

ThreatFox: Unknown malware IOCs

ioc-hunt HIGH ThreatFox
CommonSecurityLogDeviceFileEventsDeviceNetworkEventsDnsEventsUrlClickEvents
iocthreatfoxunknown
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at ThreatFox →
Retrieved: 2026-03-19T03:46:59Z · Confidence: high

Hunt Hypothesis

Hunt package for 31 IOCs associated with Unknown malware

IOC Summary

Malware Family: Unknown malware Total IOCs: 31 IOC Types: sha256_hash, domain, ip:port, url

TypeValueThreat TypeFirst SeenConfidence
ip:port18[.]118[.]91[.]208:80botnet_cc2026-03-19100%
ip:port86[.]54[.]42[.]175:5555botnet_cc2026-03-18100%
ip:port92[.]113[.]25[.]185:80botnet_cc2026-03-18100%
ip:port71[.]131[.]51[.]37:443botnet_cc2026-03-18100%
ip:port62[.]113[.]41[.]93:7443botnet_cc2026-03-18100%
ip:port102[.]117[.]171[.]207:7443botnet_cc2026-03-18100%
urlhxxps://oiliver.gr/merrypayload_delivery2026-03-1850%
sha256_hash17661A7D0C3DECA24B2EF18F48D61326FADFBF0069D045B5D51F294526280C53payload2026-03-18100%
sha256_hashA0C4488B50FDD493A8652F2B5A89B7AFAF0F7EA09021719D257AEEB0ED53E1E2payload2026-03-18100%
sha256_hashA53B7CC73481DC89A9876638490CE86C3ECE09D9F6454B037831AAD1326C5F07payload2026-03-18100%
urlhxxps://bestwirelessus.com/wp-includes/pomo/System.ps1payload_delivery2026-03-18100%
urlhxxps://bestwirelessus.com/wp-includes/pomo/Service.ps1payload_delivery2026-03-18100%
urlhxxps://bestwirelessus.com/wp-includes/pomo/Woba.exepayload_delivery2026-03-18100%
urlhxxps://bestwirelessus.com/wp-includes/pomo/Eritrea.exepayload_delivery2026-03-18100%
urlhxxps://bestwirelessus.com/wp-includes/pomo/Omise.exepayload_delivery2026-03-18100%
domainbestwirelessus.compayload_delivery2026-03-18100%
urlhxxps://secureportal777.com/ltluegalgveghzmpfppayload_delivery2026-03-18100%
urlhxxps://secureportal777.com/vrtevpfvohxeyyonwypayload_delivery2026-03-18100%
domainsecureportal777.compayload_delivery2026-03-18100%
urlhxxps://step-secure.bibusdarken.workers.dev/api/css.jspayload_delivery2026-03-18100%
domainstep-secure.bibusdarken.workers.devpayload_delivery2026-03-18100%
urlhxxps://init-static.seccheckclod.workers.dev/api/css.jspayload_delivery2026-03-18100%
domaininit-static.seccheckclod.workers.devpayload_delivery2026-03-18100%
domainairdrop.paradex-sale.latpayload_delivery2026-03-18100%
domainwaronusdt1.worldpayload_delivery2026-03-18100%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["92.113.25.185", "62.113.41.93", "71.131.51.37", "102.117.171.207", "18.118.91.208", "86.54.42.175"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["92.113.25.185", "62.113.41.93", "71.131.51.37", "102.117.171.207", "18.118.91.208", "86.54.42.175"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["bestwirelessus.com", "secureportal777.com", "step-secure.bibusdarken.workers.dev", "init-static.seccheckclod.workers.dev", "airdrop.paradex-sale.lat", "waronusdt1.world", "lucialabs.lol", "gotestcoin.digital", "housecoin.run", "elizaos16z.lol", "kimchicoin.live", "elizaos.run"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://oiliver.gr/merry", "https://bestwirelessus.com/wp-includes/pomo/System.ps1", "https://bestwirelessus.com/wp-includes/pomo/Service.ps1", "https://bestwirelessus.com/wp-includes/pomo/Woba.exe", "https://bestwirelessus.com/wp-includes/pomo/Eritrea.exe", "https://bestwirelessus.com/wp-includes/pomo/Omise.exe", "https://secureportal777.com/ltluegalgveghzmpfp", "https://secureportal777.com/vrtevpfvohxeyyonwy", "https://step-secure.bibusdarken.workers.dev/api/css.js", "https://init-static.seccheckclod.workers.dev/api/css.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

KQL: Hash Hunt

// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["17661A7D0C3DECA24B2EF18F48D61326FADFBF0069D045B5D51F294526280C53", "A0C4488B50FDD493A8652F2B5A89B7AFAF0F7EA09021719D257AEEB0ED53E1E2", "A53B7CC73481DC89A9876638490CE86C3ECE09D9F6454B037831AAD1326C5F07"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled
DeviceFileEventsEnsure this data connector is enabled
DeviceNetworkEventsEnsure this data connector is enabled
DnsEventsEnsure this data connector is enabled
UrlClickEventsEnsure this data connector is enabled

References

Original source: https://threatfox.abuse.ch/browse/malware/unknown/