The ThreatFox: Unknown Stealer IOCs rule detects potential adversary activity associated with a previously unknown stealer malware, likely used for exfiltrating sensitive data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before data is exfiltrated or further damage occurs.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]215[.]85[.]121:5051 | botnet_cc | 2026-05-19 | 75% |
| ip:port | 193[.]143[.]1[.]131:5051 | botnet_cc | 2026-05-19 | 75% |
| ip:port | 193[.]143[.]1[.]24:5051 | botnet_cc | 2026-05-19 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown Stealer
let malicious_ips = dynamic(["193.143.1.24", "91.215.85.121", "193.143.1.131"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["193.143.1.24", "91.215.85.121", "193.143.1.131"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system administrator uses Chocolatey to install a legitimate package that matches one of the IOCs (e.g., choco install <package-name>).
Filter/Exclusion: Exclude processes initiated by choco or packages signed by official Chocolatey repositories.
Scenario: Scheduled Job for Log Rotation
Description: A scheduled task runs a script that uses a tool like logrotate or rsyslog which may have a file path or command that matches an IOC.
Filter/Exclusion: Exclude processes with logrotate, rsyslog, or syslog-ng in the command line or process name.
Scenario: Admin Task Using PowerShell for Configuration Management
Description: An admin uses PowerShell to configure a service or update a configuration file, which may include a command or file path that matches an IOC.
Filter/Exclusion: Exclude PowerShell scripts or commands executed by PowerShell.exe with -Command or -File parameters that match known admin tools or scripts.
Scenario: Legitimate Software Installation via MSI
Description: A user installs a legitimate software package using an MSI installer, which may have a file name or registry key that matches an IOC.
Filter/Exclusion: Exclude processes initiated by msiexec.exe or files with .msi extensions.
Scenario: Network Monitoring Tool Using Wireshark
Description: A network analyst uses Wireshark to capture and analyze traffic, which may include a file path or command that matches an IOC.
Filter/Exclusion: Exclude processes with wireshark.exe or tshark.exe in the command line or process name.