The hypothesis is that adversaries are using known malicious URLs from URLhaus to download malware into the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 29 Active URLs: 19
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://45.135.194.4:8080/c2agent | offline | malware_download | 2026-04-22 |
hxxp://54.36.117.71/bot_mips | offline | malware_download | 2026-04-22 |
hxxp://54.36.117.71/linux_bot.py | offline | malware_download | 2026-04-22 |
hxxp://54.36.117.71/toxnet.mips | offline | malware_download | 2026-04-22 |
hxxp://54.36.117.71/kaf.86 | offline | malware_download | 2026-04-22 |
hxxp://54.36.117.71/bot_linux_x86_64 | offline | malware_download | 2026-04-22 |
hxxp://54.36.117.71/kaf.x86 | offline | malware_download | 2026-04-22 |
hxxp://54.36.117.71/kaf.64 | offline | malware_download | 2026-04-22 |
hxxp://77.68.99.77/Vision.sh | offline | malware_download | 2026-04-22 |
hxxp://2.26.84.151:8080/bot.x86_64 | offline | malware_download | 2026-04-22 |
hxxp://119.117.177.135:50524/bin.sh | online | malware_download | 2026-04-22 |
hxxp://85.140.44.96:44369/bin.sh | online | malware_download | 2026-04-22 |
hxxp://219.157.22.107:44241/i | online | malware_download | 2026-04-22 |
hxxp://85.12.204.206:45975/i | online | malware_download | 2026-04-22 |
hxxp://58.253.129.91:8518/i | online | malware_download | 2026-04-22 |
hxxp://58.253.129.91:8518/bin.sh | online | malware_download | 2026-04-22 |
hxxp://42.177.200.236:41439/bin.sh | online | malware_download | 2026-04-22 |
hxxp://123.191.47.203:49872/i | online | malware_download | 2026-04-22 |
hxxp://42.52.26.29:33208/bin.sh | online | malware_download | 2026-04-22 |
hxxp://222.138.149.73:55985/bin.sh | online | malware_download | 2026-04-22 |
hxxp://222.138.149.73:55985/i | online | malware_download | 2026-04-22 |
hxxp://175.167.108.139:46557/i | online | malware_download | 2026-04-22 |
hxxp://175.167.108.139:46557/bin.sh | online | malware_download | 2026-04-22 |
hxxp://91.147.100.200:44721/i | online | malware_download | 2026-04-22 |
hxxp://123.191.47.203:49872/bin.sh | online | malware_download | 2026-04-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["115.54.172.6", "42.52.26.29", "219.157.22.107", "85.12.204.206", "91.147.100.200", "42.177.200.236", "119.117.177.135", "58.253.129.91", "175.167.108.139", "123.191.47.203", "111.249.250.99", "85.140.44.96", "222.138.149.73"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.54.172.6", "42.52.26.29", "219.157.22.107", "85.12.204.206", "91.147.100.200", "42.177.200.236", "119.117.177.135", "58.253.129.91", "175.167.108.139", "123.191.47.203", "111.249.250.99", "85.140.44.96", "222.138.149.73"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job downloads a malware update from a trusted repository (e.g., Microsoft Update or a company-approved patch server).
Filter/Exclusion: Exclude URLs containing update.microsoft.com, patchserver.example.com, or any known enterprise update domains.
Scenario: Admin Access Token Renewal
Description: An administrator uses a tool like azure-cli or aws-cli to renew an access token, which may involve a temporary URL redirect or token exchange endpoint.
Filter/Exclusion: Exclude URLs containing token.microsoft.com, sts.windows.net, or signin.aws.com.
Scenario: Log Collection via SIEM Integration
Description: A security information and event management (SIEM) system like Splunk or ELK Stack periodically fetches logs from a central log server using a secure URL.
Filter/Exclusion: Exclude URLs containing splunk.com, logserver.example.com, or any known SIEM integration endpoints.
Scenario: Software Deployment via Configuration Management
Description: A configuration management tool like Ansible or Puppet downloads a package from a private artifact repository (e.g., Nexus or Artifactory) during a deployment.
Filter/Exclusion: Exclude URLs containing nexus.example.com, artifactory.example.com, or any known internal package repositories.
Scenario: Cloud Provider API Calls
Description: A cloud provider API (e.g., AWS SDK, Azure CLI, or GCP CLI) makes API calls to services like S3, Blob Storage, or Cloud Functions, which may involve temporary URLs or signed requests.
Filter/Exclusion: Exclude URLs containing s3.amazonaws.com, blob.core.windows.net, or storage.googleapis.com.