Adversaries are using malicious URLs hosted on the IP 195-96-132-13 to deliver payloads or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from known malicious infrastructure.
IOC Summary
Threat: 195-96-132-13 Total URLs: 7 Active URLs: 7
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://195.96.132.13/v.sh | online | malware_download | 2026-05-31 |
hxxp://195.96.132.13/karm7 | online | malware_download | 2026-05-31 |
hxxp://195.96.132.13/kmpsl | online | malware_download | 2026-05-31 |
hxxp://195.96.132.13/karm | online | malware_download | 2026-05-31 |
hxxp://195.96.132.13/karm5 | online | malware_download | 2026-05-31 |
hxxp://195.96.132.13/kmips | online | malware_download | 2026-05-31 |
hxxp://195.96.132.13/karm6 | online | malware_download | 2026-05-31 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 195-96-132-13
let malicious_domains = dynamic(["195.96.132.13"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["195.96.132.13"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate system update from a known Microsoft server, which happens to be hosted on the IP 195-96-132-13.
Filter/Exclusion: Check if the URL contains update.microsoft.com or windowsupdate.com and exclude traffic to these domains.
Scenario: A scheduled job in Ansible is configured to fetch configuration files from an internal repository hosted on a server with the IP 195-96-132-13.
Filter/Exclusion: Exclude traffic originating from Ansible control nodes or to internal repositories (e.g., internal-repo.example.com).
Scenario: A CI/CD pipeline (e.g., Jenkins) is pulling dependencies from a public artifact repository (e.g., Maven Central) that is temporarily hosted on the IP 195-96-132-13.
Filter/Exclusion: Exclude traffic to known public repositories (e.g., maven.org, npmjs.org) or use a whitelisted list of allowed domains.
Scenario: A remote desktop session (e.g., RDP) is initiated from a user’s machine to a server with the IP 195-96-132-13, which is part of the company’s internal network.
Filter/Exclusion: Exclude traffic from internal IP ranges or filter based on source IP ranges used by internal systems.
Scenario: A network monitoring tool (e.g., Wireshark) is configured to capture and analyze traffic on a local network, and the IP 195-96-132-13 is part of the internal network’s routing table.
**Filter/