The detection identifies potential command and control communication from malicious URLs associated with the IP 144-91-86-92, indicating possible adversary activity. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage compromise attempts in their Azure Sentinel environment.
IOC Summary
Threat: 144-91-86-92 Total URLs: 15 Active URLs: 15
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://144.91.86.92/luxzzxzzx/luxzz.aarch64 | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/luxzz.arm5 | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/luxzz.x86_64 | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/luxzz.mips | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/luxzz.x86 | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/luxzz.mpsl | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/luxzz.arm | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/luxzz.arm6 | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/luxzz.m68k | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/debug | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/luxzz.spc | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/luxzz.i686 | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/luxzz.sh4 | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/luxzz.ppc | online | malware_download | 2026-04-22 |
hxxp://144.91.86.92/luxzzxzzx/luxzz.arc | online | malware_download | 2026-04-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 144-91-86-92
let malicious_domains = dynamic(["144.91.86.92"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["144.91.86.92"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patch deployment using a URLhaus IP
Filter/Exclusion: Exclude traffic originating from known patch management tools like WSUS or SCCM that use the IP 144-91-86-92 for distribution.
Example Filter: process.name != "wsusutil.exe" && process.name != "ccmexec.exe"
Scenario: Internal network scanning or vulnerability assessment using a known IP
Filter/Exclusion: Exclude traffic from internal security tools like Nessus, OpenVAS, or Nmap that may use the IP 144-91-86-92 for scanning.
Example Filter: process.name != "nmap.exe" && process.name != "nessuscli" && process.name != "openvas"
Scenario: Scheduled job for malware analysis or sandboxing using a known IP
Filter/Exclusion: Exclude traffic from sandboxing platforms like Cuckoo Sandbox or Joe Sandbox that may use the IP 144-91-86-92 for external resource fetching.
Example Filter: process.name != "cuckoo" && process.name != "joesandbox"
Scenario: Legitimate outbound traffic from a cloud service provider using the IP
Filter/Exclusion: Exclude traffic from cloud services like AWS, Azure, or Google Cloud that may route through the IP 144-91-86-92 as part of their network infrastructure.
Example Filter: process.name != "awscli" && process.name != "az" && process.name != "gcloud"
Scenario: Admin task for DNS or network configuration using a known IP
Filter/Exclusion: Exclude traffic from