The hypothesis is that the detected URLs are part of a malicious campaign leveraging the IP 95-164-6-120 to host or redirect to malicious content. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control channels or phishing attempts associated with known malicious infrastructure.
IOC Summary
Threat: 95-164-6-120 Total URLs: 4 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://95.164.6.120/x | offline | malware_download | 2026-05-31 |
hxxp://95.164.6.120/p | offline | malware_download | 2026-05-31 |
hxxp://95.164.6.120/bot_aarch64 | online | malware_download | 2026-05-31 |
hxxp://95.164.6.120/bot | offline | malware_download | 2026-05-31 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 95-164-6-120
let malicious_domains = dynamic(["95.164.6.120"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["95.164.6.120"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate software update from a known internal repository that uses the IP 95-164-6-120 for its CDN.
Filter/Exclusion: Exclude traffic originating from or destined to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or traffic involving known internal update servers.
Scenario: A scheduled backup job using Veeam Backup & Replication is configured to transfer data over a secure connection to a remote server that uses the IP 95-164-6-120 for its backup endpoint.
Filter/Exclusion: Exclude traffic associated with backup processes, such as jobs running during off-peak hours or traffic to known backup server IPs.
Scenario: A devops pipeline using Jenkins or GitLab CI/CD is configured to pull code from a private repository hosted on a server that uses the IP 95-164-6-120 for its API endpoint.
Filter/Exclusion: Exclude traffic from known CI/CD tools, such as requests to endpoints containing /api/v1/ or from specific Jenkins/GitLab job names.
Scenario: A network monitoring tool like SolarWinds Network Performance Monitor (NPM) is configured to send alerts to a central server that uses the IP 95-164-6-120 for its alerting service.
Filter/Exclusion: Exclude traffic from known monitoring tools, such as traffic to endpoints containing /alert or from specific service accounts used by monitoring systems.
Scenario: A **