The hypothesis is that the detected URLs are associated with the 45-61-150-97 indicator, which is linked to malicious activity in URLhaus, indicating potential command and control or data exfiltration channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by adversaries leveraging known malicious URLs.
IOC Summary
Threat: 45-61-150-97 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://45.61.150.97/Bin/ScreenConnect.ClientSetup.exe | online | malware_download | 2026-06-01 |
hxxp://45.61.150.97/bin/support.client.exe | online | malware_download | 2026-06-01 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 45-61-150-97
let malicious_domains = dynamic(["45.61.150.97"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.61.150.97"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via URLhaus IP
Description: A system update or patch is being downloaded from a server with the IP 45-61-150-97, which is known to host legitimate software repositories.
Filter/Exclusion: process.parent_process_name == "Windows Update" || process.parent_process_name == "msiexec.exe" || file.name == "update.exe"
Scenario: Scheduled backup job using internal URLhaus IP
Description: A scheduled backup job is using a backup tool (e.g., Veeam, Acronis) that connects to an internal server with the IP 45-61-150-97 to transfer data.
Filter/Exclusion: process.name == "veeam.exe" || process.name == "acronis.exe" || file.path contains "backup"
Scenario: Admin task using PowerShell to access internal URLhaus IP
Description: An administrator is using PowerShell to access a server with the IP 45-61-150-97 to perform a maintenance task (e.g., log collection or configuration update).
Filter/Exclusion: process.name == "powershell.exe" && process.parent_process_name == "cmd.exe" && user.name == "admin"
Scenario: Internal monitoring tool querying URLhaus IP
Description: A monitoring tool (e.g., Nagios, Zabbix) is querying a server with the IP 45-61-150-97 to check system metrics or logs.
Filter/Exclusion: process.name == "nagios.exe" || process.name == "zabbix_agentd.exe" || process.name == "check_mk"
Scenario: Legitimate software distribution via internal URLhaus IP
Description: A