The hypothesis is that the detected malicious URLs are used by adversaries to download malware onto compromised systems, enabling further exploitation and lateral movement within the network. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they escalate into broader security incidents.
IOC Summary
Threat: malware_download Total URLs: 9 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.49.5.39:54605/i | offline | malware_download | 2026-06-03 |
hxxps://drive.usercontent.google.com/download?id=1xfLZJnjFlyKhgL_clP_nejp3g1txmB3G&export=download | offline | malware_download | 2026-06-03 |
hxxps://drive.google.com/uc?export=download&id=1HpPBdsSH6fEdU5tClfYs1760Jq9d0FvC | online | malware_download | 2026-06-03 |
hxxps://drive.google.com/uc?export=download&id=1qj81iVFCfTPEQS-4WFFVOzYkiXvNnH-7 | online | malware_download | 2026-06-03 |
hxxps://drive.google.com/uc?export=download&id=1xfLZJnjFlyKhgL_clP_nejp3g1txmB3G | online | malware_download | 2026-06-03 |
hxxps://drive.usercontent.google.com/download?id=1qj81iVFCfTPEQS-4WFFVOzYkiXvNnH-7&export=download | offline | malware_download | 2026-06-03 |
hxxps://drive.usercontent.google.com/download?id=1HpPBdsSH6fEdU5tClfYs1760Jq9d0FvC&export=download | offline | malware_download | 2026-06-03 |
hxxp://115.49.5.39:54605/bin.sh | offline | malware_download | 2026-06-03 |
hxxp://119.186.206.114:60002/bin.sh | offline | malware_download | 2026-06-03 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["drive.google.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["drive.google.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security test or penetration testing exercise.
Filter/Exclusion: Exclude URLs that match known penetration testing tools or domains (e.g., metasploit.org, exploitdb.com, vulnweb.com).
Scenario: A scheduled job is running a malware analysis tool that downloads payloads from a sandboxed environment.
Filter/Exclusion: Exclude URLs that match internal sandboxing platforms (e.g., sandboxed.io, cuckoo sandbox, malwarebytes sandbox).
Scenario: An IT admin is using a legitimate tool like wget or curl to download a software update or configuration file from an internal repository.
Filter/Exclusion: Exclude URLs that match internal update servers (e.g., internal-repo.company.com, artifactory.company.com, nuget.company.com).
Scenario: A user is accessing a phishing simulation URL hosted by a security training platform like phishsim.com or spearphish.com.
Filter/Exclusion: Exclude URLs that match known phishing simulation domains (e.g., phishsim.com, spearphish.com, phishingtest.net).
Scenario: A system is downloading a legitimate software update from a trusted vendor like Microsoft or Adobe.
Filter/Exclusion: Exclude URLs that match known vendor update servers (e.g., download.microsoft.com, adobe.com, update.vmware.com).