The hypothesis is that the adversary is using malicious URLs hosted from the IP 45-156-87-194 to deliver payloads or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: 45-156-87-194 Total URLs: 11 Active URLs: 11
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://45.156.87.194/dlr.ppc | online | malware_download | 2026-04-19 |
hxxp://45.156.87.194/dlr.spc | online | malware_download | 2026-04-19 |
hxxp://45.156.87.194/dlr.x86 | online | malware_download | 2026-04-19 |
hxxp://45.156.87.194/dlr.m68k | online | malware_download | 2026-04-19 |
hxxp://45.156.87.194/dlr.mips | online | malware_download | 2026-04-19 |
hxxp://45.156.87.194/dlr.sh4 | online | malware_download | 2026-04-19 |
hxxp://45.156.87.194/dlr.arm5 | online | malware_download | 2026-04-19 |
hxxp://45.156.87.194/dlr.arm | online | malware_download | 2026-04-19 |
hxxp://45.156.87.194/dlr.arm6 | online | malware_download | 2026-04-19 |
hxxp://45.156.87.194/dlr.arm7 | online | malware_download | 2026-04-19 |
hxxp://45.156.87.194/dlr.mpsl | online | malware_download | 2026-04-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 45-156-87-194
let malicious_domains = dynamic(["45.156.87.194"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.156.87.194"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using curl to fetch internal reports
Description: A cron job runs nightly to fetch internal security reports from a server with IP 45-156-87-194 using curl.
Filter/Exclusion: Exclude traffic originating from internal IP ranges or filter by process.name = curl and destination.ip in internal_networks.
Scenario: Admin task using wget to download a trusted update file
Description: An administrator manually downloads a trusted update file from a known internal or external server with IP 45-156-87-194.
Filter/Exclusion: Exclude processes initiated by admin accounts (e.g., user.name = admin) or filter by file.name = update_file.sh and process.name = wget.
Scenario: Automated backup tool syncing with a remote server
Description: A backup tool like rsync or Bacula connects to a remote backup server with IP 45-156-87-194 to transfer data.
Filter/Exclusion: Exclude traffic associated with backup tools (e.g., process.name = rsync) or filter by destination.ip in backup_servers.
Scenario: Internal DNS resolution using a public DNS server
Description: A DNS query from an internal host resolves a domain to the IP 45-156-87-194, which is a public DNS server (e.g., Cloudflare or Google DNS).
Filter/Exclusion: Exclude DNS traffic (e.g., process.name = nslookup or process.name = dig) or filter by destination.port = 53.
Scenario: Testing environment using a mock malicious URL for security testing
Description: