The detection identifies potential adversary activity involving malicious URLs associated with the URLhaus entry 282234, which are commonly used for phishing, credential theft, or malware delivery. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage compromise attempts before they lead to data exfiltration or system compromise.
IOC Summary
Threat: 282234 Total URLs: 6 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://62.60.226.159/tkr.exe | online | malware_download | 2026-06-05 |
hxxp://196.251.107.104/Psd8eZaW/Plugins/cred64.dll | online | malware_download | 2026-06-05 |
hxxp://196.251.107.104/clp2.exe | online | malware_download | 2026-06-05 |
hxxp://196.251.107.104/Psd8eZaW/Plugins/cred.dll | online | malware_download | 2026-06-05 |
hxxp://196.251.107.104/clp1.exe | online | malware_download | 2026-06-05 |
hxxp://196.251.107.104/amadey_x64.zip | online | malware_download | 2026-06-05 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 282234
let malicious_domains = dynamic(["62.60.226.159", "196.251.107.104"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["62.60.226.159", "196.251.107.104"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known benign URL from the URLhaus dataset for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus_id field for rule 282234, or add a condition to ignore URLs accessed from known admin workstations or during scheduled testing windows.
Scenario: A scheduled job runs a script that downloads a list of URLs from a trusted source (e.g., a security feed) for analysis, including URLs tagged as 282234.
Filter/Exclusion: Exclude URLs that are part of automated update or analysis processes, or add a filter for URLs originating from specific IP ranges or domains associated with internal security tools.
Scenario: A user is accessing a legitimate URL that is mistakenly tagged as 282234 in the URLhaus database, such as a false positive in a third-party feed.
Filter/Exclusion: Exclude URLs that are known to be benign based on internal whitelists or add a condition to ignore URLs that match a specific domain or subdomain.
Scenario: A security analyst is using a tool like OSSEC or Splunk to monitor network traffic and manually accesses a URL from the 282234 list for investigation.
Filter/Exclusion: Exclude URLs accessed from user agents or IP addresses associated with internal security tools or analyst workstations.
Scenario: A system runs a PowerShell or Python script that periodically checks for updates from a trusted source, including URLs from the 282234 list for validation.
Filter/Exclusion: Exclude URLs that are part of scheduled update or patching processes, or add a filter based on the script’s execution time or source location.