The detection identifies potential command and control communication from a known malicious IP address associated with URLs listed in URLhaus. SOC teams should proactively hunt for this behavior to uncover compromised endpoints and prevent further lateral movement or data exfiltration in their Azure Sentinel environment.
IOC Summary
Threat: 118-107-44-213-8080 Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://118.107.44.213:8080/Isass.exe | online | malware_download | 2026-04-22 |
hxxp://118.107.44.213:8080/1.exe | online | malware_download | 2026-04-22 |
hxxp://118.107.44.213:8080/2.exe | online | malware_download | 2026-04-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 118-107-44-213-8080
let malicious_domains = dynamic(["118.107.44.213"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["118.107.44.213"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate software update from a trusted source, which happens to resolve to the IP 118-107-44-213 on port 8080.
Filter/Exclusion: Exclude traffic originating from system admin accounts or processes associated with known update mechanisms (e.g., Windows Update, Chocolatey, or PowerShell scripts signed by a trusted certificate).
Scenario: A scheduled backup job using rsync or Veeam is transferring data over a non-standard port (e.g., 8080) to a remote server, which is mistakenly mapped to the IP 118-107-44-213.
Filter/Exclusion: Exclude traffic associated with backup tools (e.g., rsync, Veeam, Commvault) or traffic to known backup servers in the enterprise network.
Scenario: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is accessing a private registry or artifact repository over port 8080, which is incorrectly tagged with the IP 118-107-44-213.
Filter/Exclusion: Exclude traffic from CI/CD tools (e.g., Jenkins, GitLab, GitHub Actions) or traffic to internal artifact repositories.
Scenario: A network monitoring tool (e.g., Wireshark, tcpdump) is capturing and analyzing traffic on port 8080, which is being misinterpreted as malicious due to the IP 118-107-44-213.
Filter/Exclusion: Exclude traffic from network analysis tools or traffic on ports commonly used for packet capture and analysis (e.g., 808