The hypothesis is that adversaries are using known malicious URLs from URLhaus to download malware into compromised environments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware infections before they spread within the network.
IOC Summary
Threat: malware_download Total URLs: 41 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://121.202.215.196:22599/bin.sh | online | malware_download | 2026-05-29 |
hxxp://221.15.9.25:56865/bin.sh | offline | malware_download | 2026-05-29 |
hxxp://62.60.226.140/well/random.exe/ | offline | malware_download | 2026-05-29 |
hxxp://89.125.188.171/atom/random.exe | offline | malware_download | 2026-05-29 |
hxxp://89.125.188.171/cost/build.exe | offline | malware_download | 2026-05-29 |
hxxp://89.125.188.171/nah11/file.exe | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/files-129312398/files/file_1e6327727d411740.exe/ | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/files-129312398/files/file_d369551b73a17113.msi/ | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/files-129312398/files/file_7d01c44e3628c3f5.exe/ | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/files-129312398/files/file_91aca91ebbe1b031.exe/ | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/files-129312398/files/file_f82e3c02c153f34c.exe/ | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/opvjr94jfe/index.php | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/files-129312398/files/file_b0b4b0878640b39e.exe/ | offline | malware_download | 2026-05-29 |
hxxp://62.60.226.140/files/8717422379/BKrjaut.exe07ab97d7aeesdb | offline | malware_download | 2026-05-29 |
hxxp://62.60.226.140/files/8370492159/5buqavl.exe | offline | malware_download | 2026-05-29 |
hxxp://62.60.226.140/files/7377994722/CYQxsPn.exe | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/files-129312398/files/file_493059e7d0c25c4e.exe/ | offline | malware_download | 2026-05-29 |
hxxp://62.60.226.140/files/8370492159/090uxhZ.exe | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/files-129312398/files/file_58172909a01f97ec.exe/ | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/files-129312398/files/file_ca18e602c7a72d9c.exe/ | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/files-129312398/files/file_7df0584ffde92dad.exe/ | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/files-129312398/files/file_05e451303f19b057.exe/ | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/files-129312398/files/file_3128548b360e043a.exe/ | offline | malware_download | 2026-05-29 |
hxxp://62.60.226.140/files/1781548144/XFsds2P.exe | offline | malware_download | 2026-05-29 |
hxxp://91.92.242.236/files-129312398/files/file_8829a458a496e6ef.exe/ | offline | malware_download | 2026-05-29 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["small-morning-8be0.fsocietyandtools.workers.dev", "ritubohara.com", "121.202.215.196"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["small-morning-8be0.fsocietyandtools.workers.dev", "ritubohara.com", "121.202.215.196"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job downloads a malware update from a known URLhaus-listed domain as part of a patching process.
Filter/Exclusion: Exclude URLs associated with known enterprise patching or update services (e.g., update.microsoft.com, download.microsoft.com).
Scenario: Admin Access Token Renewal
Description: An administrator uses a tool like Azure AD Connect to renew access tokens, which may involve downloading a script or configuration file from a URLhaus-listed domain.
Filter/Exclusion: Exclude URLs containing azure.com or microsoft.com in the domain, or filter by user roles (e.g., [email protected]).
Scenario: Log Collection from SIEM System
Description: A SIEM system like Splunk or ELK Stack periodically downloads log files from a remote server, which may be flagged as a malicious URL by URLhaus.
Filter/Exclusion: Exclude URLs that match known SIEM vendor domains (e.g., splunk.com, elastic.co) or filter by IP ranges associated with the SIEM infrastructure.
Scenario: Software Deployment via Configuration Management
Description: A configuration management tool like Ansible or Puppet downloads a package from a URLhaus-listed domain during a deployment process.
Filter/Exclusion: Exclude URLs that match known package repositories (e.g., packages.microsoft.com, repo.packagist.org) or filter by known deployment tool domains.
Scenario: Internal Code Repository Sync
Description: A developer syncs code from an internal Git repository hosted on GitHub or GitLab, which may be mistakenly flagged by URLhaus due to a misconfigured URL.
Filter/Exclusion: Exclude URLs containing github.com, gitlab.com, or internal domain names (