The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 6 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | download.skibidibopbop.lol | payload_delivery | 2026-05-17 | 100% |
| domain | download.stopbanningmydomains.ru | payload_delivery | 2026-05-17 | 100% |
| ip:port | 156[.]246[.]94[.]183:53 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 156[.]246[.]94[.]183:80 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 156[.]246[.]94[.]183:443 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 156[.]246[.]94[.]183:123 | botnet_cc | 2026-05-17 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["156.246.94.183"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["156.246.94.183"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - XMRIG
let malicious_domains = dynamic(["download.skibidibopbop.lol", "download.stopbanningmydomains.ru"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System Maintenance Task Using XMRIG for Performance Monitoring
Description: A system administrator uses XMRIG as part of a legitimate performance monitoring tool to analyze CPU usage and system load.
Filter/Exclusion: Exclude processes associated with known system monitoring tools (e.g., perfmon, sar, iostat) or filter by user account (e.g., root, admin).
Scenario: Scheduled Job for Log Analysis Using XMRIG
Description: A scheduled job runs XMRIG to parse and analyze log files for security or compliance purposes.
Filter/Exclusion: Exclude processes initiated by cron jobs or task schedulers (e.g., crontab, schtasks) and filter by command-line arguments containing log analysis keywords (e.g., --log, --analyze).
Scenario: Development Environment with XMRIG for Testing
Description: A developer uses XMRIG in a sandboxed or virtualized environment to test cryptocurrency mining code or related functionality.
Filter/Exclusion: Exclude processes running in virtual machines or containers (e.g., docker, kvm, vmware) or filter by user account (e.g., dev, test).
Scenario: IT Team Using XMRIG for Network Traffic Analysis
Description: The IT team deploys XMRIG to monitor and analyze network traffic for anomalies or security threats.
Filter/Exclusion: Exclude processes with network analysis tools (e.g., tcpdump, Wireshark, nmap) or filter by user account (e.g., it, security).
Scenario: Legacy System Compatibility Check with XMRIG
Description: A legacy system or compatibility test runs XMRIG to verify system behavior or interoperability with older software.