The detection identifies potential adversary activity involving malicious URLs linked to the 54e64e tag, which may indicate a targeted campaign or malware distribution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they cause significant damage.
IOC Summary
Threat: 54e64e Total URLs: 3 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://91.92.242.236/files-129312398/files/file_66b7f7ac55ab3943.exe | online | malware_download | 2026-05-22 |
hxxp://91.92.242.236/files-129312398/files/file_06ad553c86ec86c7.exe | online | malware_download | 2026-05-22 |
hxxp://91.92.242.236/files-129312398/files/file_61fdc9c6c9548f20.exe | offline | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 54e64e
let malicious_domains = dynamic(["91.92.242.236"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["91.92.242.236"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known benign URL from the URLhaus dataset for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus_id ā54e64eā when the source is a known admin tool (e.g., urlfilter-cli, urlhaus-test-suite).
Scenario: A scheduled job runs a script that downloads a legitimate software update from a URL tagged as 54e64e, which is part of a trusted update repository.
Filter/Exclusion: Exclude URLs where the domain is in a trusted list (e.g., *.example.com, *.software-update.org) and the request is made by a known job scheduler (e.g., cron, task scheduler, airflow).
Scenario: A user is performing a security training exercise where they are instructed to access a simulated malicious URL (tagged 54e64e) to test their response procedures.
Filter/Exclusion: Exclude URLs that match the urlhaus_id ā54e64eā when the user is in a security training environment (e.g., training-user, simulated-attack).
Scenario: A DevOps pipeline is configured to fetch a dependency from a URL tagged as 54e64e, which is part of a legitimate package repository.
Filter/Exclusion: Exclude URLs where the request is made by a CI/CD tool (e.g., Jenkins, GitHub Actions, GitLab CI) and the domain is part of a known package registry (e.g., npm, PyPI, Maven Central).
Scenario: A network monitoring tool is configured to periodically access a URL tagged as 54e64e to check for updates or configuration changes.