The hypothesis is that the detected malicious URLs associated with the IP 45-198-224-8 are likely used by adversaries to deliver payloads or exfiltrate data, indicating potential compromise of internal systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they cause significant damage.
IOC Summary
Threat: 45-198-224-8 Total URLs: 5 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://45.198.224.8/blue.arm7 | offline | malware_download | 2026-05-31 |
hxxp://45.198.224.8/blue.x64 | online | malware_download | 2026-05-31 |
hxxp://45.198.224.8/blue.mips | online | malware_download | 2026-05-31 |
hxxp://45.198.224.8/blue.mpsl | online | malware_download | 2026-05-31 |
hxxp://45.198.224.8/bins.sh | online | malware_download | 2026-05-31 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 45-198-224-8
let malicious_domains = dynamic(["45.198.224.8"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.198.224.8"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate software update from a trusted source, but the URL matches a known malicious pattern due to a misconfigured proxy or URL filtering tool.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., *.microsoft.com, *.download.microsoft.com, *.canonical.com) or use a custom URL category to whitelist trusted domains.
Scenario: A scheduled backup job runs using rsync or Veeam and generates temporary files with URLs in the log that match the malicious pattern due to logging behavior.
Filter/Exclusion: Exclude logs from backup processes or use a process name filter to ignore rsync, veeam, or backupexec.
Scenario: A SIEM correlation rule or log analysis tool (e.g., Splunk, ELK Stack) is parsing logs and includes URLs in the message body that happen to match the malicious pattern.
Filter/Exclusion: Exclude logs from SIEM tools or apply a field-based filter to ignore URLs in specific log fields like message or content.
Scenario: A devops pipeline (e.g., Jenkins, GitLab CI) is executing a script that includes a URL for a test environment or artifact repository, which coincidentally matches the malicious pattern.
Filter/Exclusion: Exclude URLs that match known CI/CD environments (e.g., *.gitlab.com, *.github.com, *.jenkins.io) or use a process name filter for jenkins, gitlab-runner, or ci.
Scenario: An endpoint detection and response (EDR) tool (e.g., CrowdStrike, SentinelOne) is generating alerts for legitimate network activity, such as