The hypothesis is that the detected URLs are part of a malicious campaign using the IP 38-76-199-154 and port 8888, likely used for command and control or data exfiltration. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of endpoints or data leakage.
IOC Summary
Threat: 38-76-199-154-8888 Total URLs: 5 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://38.76.199.154:8888/pro_stager.exe | online | malware_download | 2026-04-22 |
hxxp://38.76.199.154:8888/pro_payload.exe | online | malware_download | 2026-04-22 |
hxxp://38.76.199.154:8888/payload_exe | online | malware_download | 2026-04-22 |
hxxp://38.76.199.154:8888/payload.exe | online | malware_download | 2026-04-22 |
hxxp://38.76.199.154:8888/payload.elf | online | malware_download | 2026-04-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 38-76-199-154-8888
let malicious_domains = dynamic(["38.76.199.154"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["38.76.199.154"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using the IP for internal monitoring
Description: A scheduled job runs on a SIEM system (e.g., Splunk, ELK) to check for internal network activity, and it connects to the IP 38-76-199-154 on port 8888 as part of a monitoring tool (e.g., Nagios, Zabbix).
Filter/Exclusion: Exclude traffic originating from the SIEM system’s internal IP range or add a filter for known monitoring tools.
Scenario: Admin task using a remote management tool
Description: An admin uses a remote management tool (e.g., Ansible, Puppet, or SSH) to connect to a server using the IP 38-76-199-154 on port 8888 for configuration updates or diagnostics.
Filter/Exclusion: Exclude connections from admin accounts or add a filter for known remote management tools and user agents.
Scenario: Internal development server testing
Description: A development team uses an internal development server (e.g., Docker, Kubernetes) that is configured to listen on port 8888 and is accessible via the IP 38-76-199-154 for testing purposes.
Filter/Exclusion: Exclude traffic from internal development networks or add a filter for known development environments and containerized services.
Scenario: Legitimate API testing with Postman or curl
Description: A security analyst or developer uses Postman or curl to test a legitimate API endpoint hosted on the IP 38-76-199-154 on port 8888 as part of a security assessment.
Filter/Exclusion: Exclude traffic from known security testing tools