Adversaries may use malicious URLs from URLhaus to download malware, bypassing traditional detection mechanisms. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread within the network.
IOC Summary
Threat: malware_download Total URLs: 12 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://177.26.100.232:52211/i | online | malware_download | 2026-04-21 |
hxxp://144.48.123.149:58125/i | online | malware_download | 2026-04-21 |
hxxps://files.catbox.moe/jwhxzz.bin | online | malware_download | 2026-04-21 |
hxxp://axodoyin.alwaysdata.net/UwU.sh | offline | malware_download | 2026-04-21 |
hxxp://45.135.194.4/vps-agent-linux-amd64 | online | malware_download | 2026-04-21 |
hxxp://45.135.194.4:8080/c2.sh | offline | malware_download | 2026-04-21 |
hxxp://176.65.139.130/bot.x86_64 | offline | malware_download | 2026-04-21 |
hxxp://45.135.194.4:8080/simple_agent.py | offline | malware_download | 2026-04-21 |
hxxp://45.135.194.4/install.sh | offline | malware_download | 2026-04-21 |
hxxp://45.135.194.4:8080/sh_test.sh | offline | malware_download | 2026-04-21 |
hxxp://45.135.194.4:8080/install.sh | offline | malware_download | 2026-04-21 |
hxxp://2.26.84.151/bot.x86_64 | offline | malware_download | 2026-04-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["files.catbox.moe", "45.135.194.4", "177.26.100.232", "144.48.123.149"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["files.catbox.moe", "45.135.194.4", "177.26.100.232", "144.48.123.149"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate software update download
Description: A system administrator downloads a legitimate software update from a known vendor URL, which is mistakenly tagged as a malicious URL in the URLhaus database.
Filter/Exclusion: Exclude URLs that match known vendor domains (e.g., updates.microsoft.com, download.vmware.com) or use a custom list of trusted update URLs.
Scenario: Scheduled system backup to cloud storage
Description: A scheduled backup job uploads data to a cloud storage bucket (e.g., AWS S3, Google Cloud Storage) using a URL that is flagged as malicious by the detection rule.
Filter/Exclusion: Exclude URLs containing specific cloud storage prefixes (e.g., s3.amazonaws.com, storage.googleapis.com) or use a regex to identify backup-related paths.
Scenario: Admin task using PowerShell for system configuration
Description: An administrator uses PowerShell to download a configuration script from an internal repository, which is incorrectly flagged as a malware_download URL.
Filter/Exclusion: Exclude URLs that match internal repository domains (e.g., internal-repo.example.com) or use a regex to identify PowerShell script download patterns.
Scenario: User accessing a phishing training page
Description: A user clicks on a phishing training link from a security awareness platform (e.g., KnowBe4), which is mistakenly classified as a malware_download URL.
Filter/Exclusion: Exclude URLs containing known security training domains (e.g., training.knowbe4.com, phishing-training.example.com).
Scenario: Automated CI/CD pipeline artifact download
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) downloads a build artifact from a private registry or artifact repository, which is flagged as a malicious URL.
Filter/Exclusion: Exclude URLs that match CI/