The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, leveraging compromised or phishing-based delivery methods. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread laterally or exfiltrate data.
IOC Summary
Threat: malware_download Total URLs: 7 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.58.85.74:44867/i | online | malware_download | 2026-06-20 |
hxxp://42.86.60.11:33410/bin.sh | online | malware_download | 2026-06-20 |
hxxp://46.146.238.1:25306/i | online | malware_download | 2026-06-20 |
hxxps://mamigummy.com/md/dog_payload.png | online | malware_download | 2026-06-20 |
hxxp://182.114.193.55:54420/i | online | malware_download | 2026-06-20 |
hxxp://125.43.224.91:35648/bin.sh | online | malware_download | 2026-06-20 |
hxxps://release-assets.githubusercontent.com/github-production-release-asset/1268750795/c2334986-2fe6-474c-afb1-b087840c8ce0?sp=r&sv=2018-11-09&sr=b&spr=https&se=2026-06-19T20%3A29%3A40Z&rscd=attachment%3B+filename%3DRelease.zip&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2026-06-19T19%3A29%3A18Z&ske=2026-06-19T20%3A29%3A40Z&sks=b&skv=2018-11-09&sig=OqKWgb6Y7fqmtd6QJBPLaF5Nncb4mzt3yJXbvRCoEd8%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc4MTg5ODc5NCwibmJmIjoxNzgxODk4NDk0LCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.GIDhb9pbV2H_UV1F--_skCzcRcdrXdnPkBm997sFDqU&response-content-disposition=attachment%3B%20filename%3DRelease.zip&response-content-type=application%2Foctet-stream | offline | malware_download | 2026-06-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["42.86.60.11", "125.43.224.91", "46.146.238.1", "mamigummy.com", "182.114.193.55", "115.58.85.74"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.86.60.11", "125.43.224.91", "46.146.238.1", "mamigummy.com", "182.114.193.55", "115.58.85.74"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually downloading a known malicious URL to test a sandboxed environment.
Filter/Exclusion: Exclude URLs that match known testing or sandboxing platforms like VirusTotal, Malwarebytes Labs, or [Cuckoo Sandbox](https://www.cuckoo sandbox.org/).
Scenario: A scheduled job is configured to fetch updates from a legitimate internal repository, which contains URLs flagged by URLhaus due to historical misuse.
Filter/Exclusion: Exclude URLs that match internal update servers or repositories (e.g., internal-repo.example.com, updates.example.com).
Scenario: A user is downloading a legitimate software update from a trusted vendor, but the URL is mistakenly tagged as malicious in URLhaus.
Filter/Exclusion: Exclude URLs that match known software update domains (e.g., download.microsoft.com, download.docker.com, downloads.apache.org).
Scenario: A security tool like CrowdStrike Falcon or Microsoft Defender ATP is configured to download payloads for signature analysis, triggering the rule.
Filter/Exclusion: Exclude URLs that match known security tool download endpoints (e.g., falcon-apis.crowdstrike.com, defender-apis.microsoft.com).
Scenario: A DevOps pipeline is using a CI/CD tool like Jenkins or GitLab CI to fetch dependencies from a public repository, which includes URLs flagged by URLhaus.
Filter/Exclusion: Exclude URLs that match known CI/CD artifact repositories (e.g., `maven.org