The hypothesis is that the detected URLs are associated with the IP 213-111-144-211, which is linked to the URLhaus entry 8443, indicating potential command and control or data exfiltration activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of endpoints or network resources.
IOC Summary
Threat: 213-111-144-211-8443 Total URLs: 7 Active URLs: 7
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://213.111.144.211:8443/bins/7 | online | malware_download | 2026-06-09 |
hxxps://213.111.144.211:8443/bins/4 | online | malware_download | 2026-06-09 |
hxxps://213.111.144.211:8443/bins/6 | online | malware_download | 2026-06-09 |
hxxps://213.111.144.211:8443/bins/1 | online | malware_download | 2026-06-09 |
hxxps://213.111.144.211:8443/bins/5 | online | malware_download | 2026-06-09 |
hxxps://213.111.144.211:8443/bins/3 | online | malware_download | 2026-06-09 |
hxxps://213.111.144.211:8443/bins/8 | online | malware_download | 2026-06-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 213-111-144-211-8443
let malicious_domains = dynamic(["213.111.144.211"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["213.111.144.211"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using curl or wget to download a legitimate update from a trusted internal repository that uses the IP 213-111-144-211 as part of its load balancing setup.
Filter/Exclusion: Check for the presence of a known internal IP range or use a filter like process.parent_process_name == "sudo" or process.command_line contains "internal-repo".
Scenario: A scheduled job runs Ansible or SaltStack to execute a playbook that temporarily connects to the IP 213-111-144-211 as part of a network diagnostic or health check.
Filter/Exclusion: Exclude connections made by known automation tools like ansible or salt, or use a filter like process.name contains "ansible-playbook".
Scenario: A developer is using Postman or curl to test a legitimate API endpoint that resolves to the IP 213-111-144-211 due to DNS round-robin or load balancing.
Filter/Exclusion: Filter by process.name contains "postman" or process.name contains "curl" and check for known internal or trusted domains in the request URL.
Scenario: A system is running a scheduled backup job using rsync or scp that connects to a remote server using the IP 213-111-144-211 as part of a backup process.
Filter/Exclusion: Exclude connections made by backup tools like rsync or scp, or use a filter like process.name contains "rsync" or process.name contains "scp".
Scenario: A network monitoring tool like Nagios or `Z