The ThreatFox: Stealc IOCs rule detects potential adversary activity involving the Stealc malware by identifying associated indicators of compromise, which are commonly used in targeted attacks to exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data breaches and lateral movement within the network.
IOC Summary
Malware Family: Stealc Total IOCs: 2 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 85[.]239[.]144[.]221:80 | botnet_cc | 2026-05-17 | 75% |
| url | hxxp://144[.]31[.]57[.]65/2a7400fe251b4b4687fe.php | botnet_cc | 2026-05-17 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Stealc
let malicious_ips = dynamic(["85.239.144.221"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["85.239.144.221"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Stealc
let malicious_urls = dynamic(["http://144.31.57.65/2a7400fe251b4b4687fe.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using stealc as part of a script
Description: A scheduled job runs a script that includes the string “stealc” as part of a legitimate tool or script name.
Filter/Exclusion: process.name != "stealc" or process.args !~ "stealc"
Scenario: Admin task using stealc in a log file parsing script
Description: An admin script parses log files and includes the term “stealc” in a regex pattern for log analysis.
Filter/Exclusion: process.name != "log_parser" or process.args !~ "stealc"
Scenario: Use of stealc in a legitimate security tool’s configuration
Description: A security tool’s configuration file references “stealc” as part of a known threat indicator or test case.
Filter/Exclusion: process.name != "security_tool_config" or file.name != "config.yaml"
Scenario: False positive from a third-party tool’s output
Description: A third-party tool (e.g., tcpdump, Wireshark, or netstat) outputs “stealc” as part of a network protocol or packet analysis.
Filter/Exclusion: process.name != "tcpdump" or process.name != "wireshark"
Scenario: Legitimate use of stealc in a development environment
Description: A developer uses “stealc” as a placeholder or variable name in a test script or codebase.
Filter/Exclusion: process.name != "dev_script.sh" or file.name != "test_script.sh"