The hypothesis is that the detected malicious URLs are used by adversaries to download malware onto compromised systems, leveraging Azure Sentinel to identify potential initial compromise vectors. SOC teams should proactively hunt for these URLs to detect and mitigate early-stage malware infections before they spread within the network.
IOC Summary
Threat: malware_download Total URLs: 9 Active URLs: 8
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://89.190.156.19/krane_mips | online | malware_download | 2026-04-20 |
hxxp://89.190.156.19/krane_armv5 | online | malware_download | 2026-04-20 |
hxxp://89.190.156.19/krane_armv6 | online | malware_download | 2026-04-20 |
hxxp://89.190.156.19/bins.sh | online | malware_download | 2026-04-20 |
hxxp://89.190.156.19/krane_armv7 | online | malware_download | 2026-04-20 |
hxxp://110.36.76.24:60144/i | online | malware_download | 2026-04-20 |
hxxp://110.36.76.24:60144/bin.sh | offline | malware_download | 2026-04-20 |
hxxp://110.37.90.172:48823/i | online | malware_download | 2026-04-20 |
hxxp://110.37.90.172:48823/bin.sh | online | malware_download | 2026-04-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["110.37.90.172", "110.36.76.24", "89.190.156.19"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.37.90.172", "110.36.76.24", "89.190.156.19"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update via Microsoft Update
Description: A legitimate scheduled task runs Microsoft Update, which may download malware detection files or payloads from Microsoft servers.
Filter/Exclusion: Exclude URLs containing update.microsoft.com or windowsupdate.com in the URL field.
Scenario: Admin Task for Malware Analysis
Description: An admin manually downloads a known malicious file for analysis in a sandboxed environment.
Filter/Exclusion: Exclude URLs containing sandbox or analysis in the URL field, or filter by user admin or security-team.
Scenario: Automated Log Collection from External SIEM
Description: A scheduled job pulls logs from an external SIEM system, which may include URLs used for log forwarding or data ingestion.
Filter/Exclusion: Exclude URLs containing siem, logstash, or splunk in the URL field, or filter by source IP range used for SIEM communication.
Scenario: Internal Code Repository Access
Description: A developer accesses an internal code repository (e.g., GitLab, GitHub Enterprise) to retrieve a script or artifact, which may be flagged due to similar URL patterns.
Filter/Exclusion: Exclude URLs containing gitlab, github, or bitbucket in the URL field, or filter by domain internal-repo.company.com.
Scenario: Cloud Provider Artifact Download
Description: A cloud provider (e.g., AWS, Azure) downloads a security-related artifact (e.g., malware signature update) from a trusted URL.
Filter/Exclusion: Exclude URLs containing aws, azure, or cloud in the URL field, or filter by domain *.amazonaws.com or *.azure.com.