The detection identifies potential command and control communication by adversaries using malicious URLs linked to the 54e64e tag in URLhaus. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware activity and prevent lateral movement within the network.
IOC Summary
Threat: 54e64e Total URLs: 3 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://91.92.242.236/files-129312398/files/file_73fea0a7b4e57bf6.exe | online | malware_download | 2026-06-13 |
hxxp://91.92.242.236/files-129312398/files/file_cfca4668fb703b9d.exe | offline | malware_download | 2026-06-13 |
hxxp://91.92.242.236/files-129312398/files/file_ed27e62be8d4fe3d.exe | offline | malware_download | 2026-06-13 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 54e64e
let malicious_domains = dynamic(["91.92.242.236"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["91.92.242.236"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by visiting a known benign URL that matches the pattern of the malicious URLs in the rule.
Filter/Exclusion: Add a filter to exclude URLs that match the internal testing domain (e.g., http://test.filtertool.example.com/*).
Scenario: A scheduled job runs a script that downloads a software update from a legitimate internal repository, which happens to use a URL format similar to the malicious URLs in the rule.
Filter/Exclusion: Exclude URLs that contain the internal repository domain (e.g., http://internal-repo.example.com/*).
Scenario: An IT admin is performing a system cleanup and uses a tool like PowerShell or Python to delete temporary files, which includes a URL string in the script that matches the malicious pattern.
Filter/Exclusion: Exclude URLs that contain the string temp_cleanup or match the command-line tool usage patterns (e.g., http://*temp_cleanup*).
Scenario: A user is accessing a legitimate internal portal for incident response, which uses a URL that coincidentally matches the malicious URL pattern in the rule.
Filter/Exclusion: Exclude URLs that contain the internal portal domain (e.g., http://ir-portal.example.com/*).
Scenario: A security tool like OSSEC or Splunk is configured to send alerts via email, and the email content includes a URL that matches the malicious pattern due to formatting or logging.
Filter/Exclusion: Exclude URLs that contain the string alert_email or match the email notification format (e.g., http://*alert_email*).