The hypothesis is that the detected URLs are associated with the Amadey malware, which is used for credential theft and lateral movement within networks. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of user credentials and internal network access.
IOC Summary
Threat: Amadey Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://spasopro.at/Lsge63sd3/Plugins/cred.dll | online | malware_download | 2026-06-09 |
hxxp://spasopro.at/Lsge63sd3/Plugins/cred64.dll | online | malware_download | 2026-06-09 |
hxxp://196.251.107.104/Amadey.exe | online | malware_download | 2026-06-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Amadey
let malicious_domains = dynamic(["spasopro.at", "196.251.107.104"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["spasopro.at", "196.251.107.104"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service (e.g., Bitly) to verify if it redirects to a legitimate internal resource.
Filter/Exclusion: Exclude URLs containing the domain internal.company.com or any subdomains of it.
Scenario: A scheduled job runs a script that fetches updates from a public URLhaus feed (e.g., via curl or wget) to keep the internal threat intel database current.
Filter/Exclusion: Exclude traffic to URLs that match the known URLhaus API endpoints (e.g., https://urlhaus.abuse.ch/api/v1/).
Scenario: A security tool like CrowdStrike Falcon or Microsoft Defender ATP is performing a scheduled integrity check, which includes downloading a known-good signature file from a trusted URL (e.g., https://example.com/signature.sig).
Filter/Exclusion: Exclude URLs that match known signature update endpoints or domains associated with security software vendors.
Scenario: An IT team is using a tool like Ansible or Puppet to deploy configuration updates, and the playbook includes a step that downloads a configuration file from a secure internal repository (e.g., https://config.repo.company.com/update.conf).
Filter/Exclusion: Exclude URLs that match internal repository domains or use specific HTTP headers (e.g., X-Internal-Use-Only).
Scenario: A developer is using a CI/CD pipeline (e.g., Jenkins, GitLab CI) to fetch dependencies from a public package registry (e.g., https://registry.npmjs.org/) which is mistakenly flagged by the rule.
Filter/Exclusion: Exclude URLs that match known package registry endpoints or use a specific HTTP user-agent string (e.g., npm/6.14.14).