The ThreatFox: StrelaStealer IOCs rule detects potential command and control activity associated with the StrelaStealer malware, leveraging known indicators to identify compromised endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they exfiltrate sensitive data.
IOC Summary
Malware Family: StrelaStealer Total IOCs: 8 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | trashmonkey.net | payload_delivery | 2026-05-17 | 100% |
| domain | acb.im | payload_delivery | 2026-05-17 | 75% |
| domain | asasys.com.br | payload_delivery | 2026-05-17 | 75% |
| domain | iesoretania.es | payload_delivery | 2026-05-17 | 75% |
| domain | nintendomaine.com | payload_delivery | 2026-05-17 | 75% |
| domain | holanuevazelanda.com | payload_delivery | 2026-05-17 | 75% |
| domain | w3p.co.in | payload_delivery | 2026-05-17 | 75% |
| domain | boutiquebristol.ba | payload_delivery | 2026-05-17 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - StrelaStealer
let malicious_domains = dynamic(["trashmonkey.net", "acb.im", "asasys.com.br", "iesoretania.es", "nintendomaine.com", "holanuevazelanda.com", "w3p.co.in", "boutiquebristol.ba"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using schtasks.exe
Description: A legitimate scheduled task is configured to run a script or executable that matches one of the IOCs associated with StrelaStealer.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known legitimate command-line arguments or paths (e.g., C:\Windows\System32\schtasks.exe /create).
Scenario: System Maintenance Tool Using taskmgr.exe
Description: A system administrator uses Task Manager (taskmgr.exe) to manually inspect or modify running processes, which may be flagged due to process name similarity.
Filter/Exclusion: Exclude processes initiated by taskmgr.exe with user interaction or from the System context (e.g., ProcessName = taskmgr.exe and User = SYSTEM).
Scenario: Legitimate Log Collection Using logman.exe
Description: A log collection tool like logman.exe is used to create or manage event logs, which may contain IOCs that match the StrelaStealer detection.
Filter/Exclusion: Exclude processes initiated by logman.exe with known log management command-line parameters (e.g., /create or /start).
Scenario: Admin Task Using PowerShell.exe for Configuration
Description: An administrator uses PowerShell to configure system settings or deploy updates, which may include scripts or commands that match the StrelaStealer IOCs.
Filter/Exclusion: Exclude PowerShell scripts executed by administrators with known legitimate command-line arguments or from trusted locations (e.g., ExecutionPolicy = Bypass and ExecutionLocation = C:\Windows\System32\WindowsPowerShell\v1.0\).
Scenario: Legitimate Software Deployment Using msiexec.exe
*