The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators linked to malware that may evade traditional detection methods. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise critical assets.
IOC Summary
Malware Family: Unknown malware Total IOCs: 25 IOC Types: url, domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 66[.]85[.]27[.]30:7443 | botnet_cc | 2026-05-07 | 75% |
| ip:port | 104[.]167[.]199[.]243:7443 | botnet_cc | 2026-05-07 | 75% |
| url | hxxp://45[.]150[.]66[.]241/TRANCE | payload_delivery | 2026-05-07 | 100% |
| url | hxxp://45[.]150[.]66[.]241/NITRO | payload_delivery | 2026-05-07 | 100% |
| url | hxxp://45[.]150[.]66[.]241/KLOP | payload_delivery | 2026-05-07 | 100% |
| url | hxxp://45[.]150[.]66[.]241/GETWELL | payload_delivery | 2026-05-07 | 100% |
| url | hxxp://45[.]150[.]66[.]241/Junilew | payload_delivery | 2026-05-07 | 100% |
| url | hxxp://45[.]150[.]66[.]241/Hikudip | payload_delivery | 2026-05-07 | 100% |
| url | hxxp://45[.]150[.]66[.]241/Cucowu | payload_delivery | 2026-05-07 | 100% |
| url | hxxp://45[.]150[.]66[.]241/Doheku | payload_delivery | 2026-05-07 | 100% |
| url | hxxps://vortexlogicgate.digital/script.sh | payload_delivery | 2026-05-07 | 100% |
| url | hxxps://bgu-uniq.co.il/ | payload_delivery | 2026-05-07 | 90% |
| url | hxxps://coloringonly.com/es/lionel-messi/ | payload_delivery | 2026-05-07 | 90% |
| domain | vortexlogicgate.digital | payload_delivery | 2026-05-07 | 100% |
| url | hxxps://moro4tix.digital/script.sh | payload_delivery | 2026-05-07 | 100% |
| domain | moro4tix.digital | payload_delivery | 2026-05-07 | 100% |
| url | hxxps://1ymphstoy.digital/script.sh | payload_delivery | 2026-05-07 | 100% |
| domain | 1ymphstoy.digital | payload_delivery | 2026-05-07 | 100% |
| url | hxxps://goodpix21341.digital/t.js | payload_delivery | 2026-05-07 | 100% |
| url | hxxps://goodpix21341.digital/ext.f66368c3907c.js | payload_delivery | 2026-05-07 | 100% |
| url | hxxps://goodpix21341.digital/ext-b[.]1c60f323a607.js | payload_delivery | 2026-05-07 | 100% |
| url | hxxps://goodpix21341.digital/t[.]188cfd3975db.js | payload_delivery | 2026-05-07 | 100% |
| domain | goodpix21341.digital | payload_delivery | 2026-05-07 | 100% |
| url | hxxps://clacndjsvulnarbi.beer/api/css.js | payload_delivery | 2026-05-07 | 100% |
| domain | clacndjsvulnarbi.beer | payload_delivery | 2026-05-07 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["104.167.199.243", "66.85.27.30"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["104.167.199.243", "66.85.27.30"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["vortexlogicgate.digital", "moro4tix.digital", "1ymphstoy.digital", "goodpix21341.digital", "clacndjsvulnarbi.beer"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["http://45.150.66.241/TRANCE", "http://45.150.66.241/NITRO", "http://45.150.66.241/KLOP", "http://45.150.66.241/GETWELL", "http://45.150.66.241/Junilew", "http://45.150.66.241/Hikudip", "http://45.150.66.241/Cucowu", "http://45.150.66.241/Doheku", "https://vortexlogicgate.digital/script.sh", "https://bgu-uniq.co.il/", "https://coloringonly.com/es/lionel-messi/", "https://moro4tix.digital/script.sh", "https://1ymphstoy.digital/script.sh", "https://goodpix21341.digital/t.js", "https://goodpix21341.digital/ext.f66368c3907c.js", "https://goodpix21341.digital/ext-b.1c60f323a607.js", "https://goodpix21341.digital/t.188cfd3975db.js", "https://clacndjsvulnarbi.beer/api/css.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known Microsoft server.
Filter/Exclusion: Exclude IOCs that match known Microsoft update servers (e.g., download.microsoft.com, windowsupdate.microsoft.com).
Scenario: A security team is performing a Windows Event Log analysis using LogParser and exporting logs to a CSV file on a local server.
Filter/Exclusion: Exclude file paths containing LogParser.exe or logparser.exe and any files with .csv extensions generated by log analysis tools.
Scenario: A DevOps engineer is deploying a Docker container using Kubernetes and the container is writing logs to a shared storage location.
Filter/Exclusion: Exclude IOCs related to Docker or Kubernetes binaries (e.g., docker, kubectl, /var/lib/docker, /etc/kubernetes).
Scenario: A database administrator is running a SQL Server maintenance job that backs up the database to a network share.
Filter/Exclusion: Exclude IOCs that match known SQL Server backup paths (e.g., C:\Program Files\Microsoft SQL Server, MSSQL_BACKUP) or network shares used for backups.
Scenario: A system is running a scheduled backup task using Veeam Backup & Replication and the backup files are stored in a dedicated backup directory.
Filter/Exclusion: Exclude IOCs that match Veeam-related paths (e.g., C:\Program Files\Veeam, VeeamBackup) or any file extensions associated with backup archives (e.g., .vbk, .vib).