The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 6 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://45[.]153[.]34[.]212:8181/.rupemnasa/.system3d | payload_delivery | 2026-05-18 | 90% |
| url | hxxp://45[.]153[.]34[.]212:8181/.rupemnasa/.config4.json | payload_delivery | 2026-05-18 | 90% |
| url | hxxp://45[.]153[.]34[.]212:8181/muiecoaieaarch | payload_delivery | 2026-05-18 | 90% |
| url | hxxp://45[.]153[.]34[.]212/fakewhiteblack.sh | payload_delivery | 2026-05-18 | 90% |
| ip:port | 45[.]153[.]34[.]212:3333 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 64[.]89[.]163[.]174:3333 | botnet_cc | 2026-05-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["45.153.34.212", "64.89.163.174"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.153.34.212", "64.89.163.174"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - XMRIG
let malicious_urls = dynamic(["http://45.153.34.212:8181/.rupemnasa/.system3d", "http://45.153.34.212:8181/.rupemnasa/.config4.json", "http://45.153.34.212:8181/muiecoaieaarch", "http://45.153.34.212/fakewhiteblack.sh"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate XMRIG Mining Setup
Description: A system administrator is deploying XMRIG as part of a legitimate cryptocurrency mining setup for a sanctioned use case (e.g., a data center with approved mining operations).
Filter/Exclusion: Exclude processes or files associated with known XMRIG versions used in authorized environments (e.g., xmrig-5.1.0 or xmrig-5.2.0), or filter by user account (e.g., mining_user).
Scenario: Scheduled System Maintenance Job
Description: A scheduled task is running a script that uses find or grep to search for files containing the string “XMRIG” as part of a system audit or log analysis.
Filter/Exclusion: Exclude processes initiated by the root or systemd user, or filter based on command-line arguments containing audit, log, or search.
Scenario: Admin Task for Log Analysis
Description: A system administrator is using tcpdump or Wireshark to analyze network traffic for signs of mining activity, and the tool is capturing packets containing the string “XMRIG”.
Filter/Exclusion: Exclude traffic originating from or destined to known internal systems, or filter based on packet content that includes “XMRIG” in the context of network analysis.
Scenario: Antivirus or EDR False Positive
Description: A security tool (e.g., CrowdStrike Falcon, Microsoft Defender) is flagging a legitimate file (e.g., xmrig-5.1.0.tar.gz) as containing XMRIG IOCs due to signature overlap.
Filter/Exclusion: Exclude files with known benign hashes or signers, or filter based on file type (e.g., .tar.gz, .zip)