The detection identifies potential CoinMiner malware distribution through malicious URLs, indicating an adversary may be attempting to deploy cryptocurrency-mining malware across compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could compromise resource usage and system integrity.
IOC Summary
Threat: CoinMiner Total URLs: 6 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://217.60.195.113/clean | online | malware_download | 2026-06-13 |
hxxps://217.60.195.113/arm7 | online | malware_download | 2026-06-13 |
hxxps://217.60.195.113/x86_64 | online | malware_download | 2026-06-13 |
hxxps://217.60.195.113/i686 | online | malware_download | 2026-06-13 |
hxxps://217.60.195.113/aarch64 | online | malware_download | 2026-06-13 |
hxxps://217.60.195.113/sh | online | malware_download | 2026-06-13 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: CoinMiner
let malicious_domains = dynamic(["217.60.195.113"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["217.60.195.113"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint protection tool by downloading a known benign test file from a URLhaus-listed URL.
Filter/Exclusion: Exclude URLs associated with the urlhaus threat intelligence source or filter by the presence of a known test file hash.
Scenario: A scheduled job runs to fetch updates from a third-party repository, and one of the URLs listed in URLhaus is used as a source for legitimate software updates.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., updates.example.com) or filter by the presence of a valid certificate or checksum.
Scenario: An IT admin is performing a system cleanup and uses a script that downloads a legitimate tool from a URLhaus-listed URL to remove malware.
Filter/Exclusion: Exclude URLs that match known administrative tools (e.g., syscleaner.exe) or filter based on the presence of a specific command-line argument indicating a benign operation.
Scenario: A user receives a phishing email containing a legitimate link to a company’s internal portal, which is mistakenly listed in URLhaus due to a false positive.
Filter/Exclusion: Exclude URLs that match internal domain names (e.g., *.internal.corp) or filter by the presence of a valid internal IP address in the URL.
Scenario: A security tool is configured to download a signature file from a URLhaus-listed URL as part of its regular update process.
Filter/Exclusion: Exclude URLs that match known signature update servers (e.g., signature-updates.example.com) or filter by the presence of a specific update token or timestamp.