The hypothesis is that an adversary is using malicious URLs associated with the IP 118-107-44-190:8080 to exfiltrate data or deploy malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches or command-and-control communications early.
IOC Summary
Threat: 118-107-44-190-8080 Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://118.107.44.190:8080/2.exe | online | malware_download | 2026-04-22 |
hxxp://118.107.44.190:8080/Isass.exe | online | malware_download | 2026-04-22 |
hxxp://118.107.44.190:8080/1.exe | online | malware_download | 2026-04-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 118-107-44-190-8080
let malicious_domains = dynamic(["118.107.44.190"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["118.107.44.190"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A legitimate system update or patching job uses a URL from the same IP range as the malicious URL.
Filter/Exclusion: Exclude URLs associated with known system update tools like WSUS or Microsoft Update, or filter by domain such as update.microsoft.com.
Scenario: A scheduled backup job or data transfer task uses a URL that resolves to the same IP address.
Filter/Exclusion: Exclude URLs containing domains like backup.example.com or transfer.example.com, or filter by source IP if the backup server is known.
Scenario: A DevOps pipeline or CI/CD tool (e.g., Jenkins, GitLab CI) uses a private URL for internal artifact distribution.
Filter/Exclusion: Exclude URLs containing paths like /artifactory or /nexus and filter by internal domain names (e.g., artifactory.internal.com).
Scenario: An admin task such as log collection or monitoring tool (e.g., Splunk, ELK stack) connects to an internal server using a URL that resolves to the same IP.
Filter/Exclusion: Exclude URLs with paths like /logs or /metrics and filter by internal IP ranges or internal domains (e.g., logs.internal.com).
Scenario: A legitimate software licensing or activation service (e.g., Adobe, Autodesk) uses a URL that resolves to the same IP address.
Filter/Exclusion: Exclude URLs containing domains like activation.adobe.com or license.autodesk.com, or filter by known service providers.