Adversaries may use known malicious URLs from URLhaus to download malware, bypassing traditional detection mechanisms. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread within the network.
IOC Summary
Threat: malware_download Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://61.176.178.35:49208/i | online | malware_download | 2026-05-28 |
hxxp://61.176.178.35:49208/bin.sh | online | malware_download | 2026-05-28 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["61.176.178.35"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["61.176.178.35"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a legitimate security tool from a known URLhaus entry as part of a malware analysis exercise.
Filter/Exclusion: Exclude URLs that match known security tool repositories (e.g., https://virusshare.com, https://malware-traffic-analysis.net).
Scenario: A scheduled job is running a malware sandboxing task and is downloading a benign payload from a URLhaus entry for analysis.
Filter/Exclusion: Exclude URLs that are associated with internal sandboxing environments or known analysis platforms (e.g., https://sandbox.example.com, https://analysis.example.org).
Scenario: A user is accessing a legitimate enterprise URL that is mistakenly listed in URLhaus due to a false positive in the URLhaus database.
Filter/Exclusion: Exclude URLs that are whitelisted in the enterprise’s internal allowlist or that match known internal infrastructure (e.g., https://internal-tools.example.com).
Scenario: A developer is using a legitimate code signing certificate from a trusted provider, which is incorrectly flagged by URLhaus.
Filter/Exclusion: Exclude URLs that are associated with code signing certificate authorities or trusted development tools (e.g., https://certs.example.com, https://github.com).
Scenario: A system is performing a legitimate software update from a known vendor, and the update URL is incorrectly listed in URLhaus.
Filter/Exclusion: Exclude URLs that match known vendor update servers (e.g., https://updates.microsoft.com, https://download.docker.com).