ThreatFox: SocksProxyGo IOCs

Hunt Hypothesis

Hunt package for 4 IOCs associated with SocksProxyGo

IOC Summary

Malware Family: SocksProxyGo Total IOCs: 4 IOC Types: sha256_hash, url

Type	Value	Threat Type	First Seen	Confidence
url	`hxxp://45[.]76[.]21[.]42/index.js`	payload_delivery	2026-03-18	100%
url	`hxxp://45[.]76[.]21[.]42/svchost.exe`	payload_delivery	2026-03-18	100%
url	`hxxp://45[.]76[.]21[.]42/3/3`	payload_delivery	2026-03-18	100%
sha256_hash	`1454b64b74eb655db859d3c1e2c2afc13cbb45b6173dee60923357637da17386`	payload	2026-03-18	100%

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - SocksProxyGo
let malicious_urls = dynamic(["http://45.76.21.42/index.js", "http://45.76.21.42/svchost.exe", "http://45.76.21.42/3/3"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

KQL: Hash Hunt

// Hunt for files matching known malicious hashes
// Source: ThreatFox - SocksProxyGo
let malicious_hashes = dynamic(["1454b64b74eb655db859d3c1e2c2afc13cbb45b6173dee60923357637da17386"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled
`UrlClickEvents`	Ensure this data connector is enabled

References

ThreatFox — SocksProxyGo