The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, bypassing traditional defenses. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and contain potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 7 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://182.112.43.144:44783/i | online | malware_download | 2026-06-22 |
hxxp://125.40.11.184:51518/i | online | malware_download | 2026-06-22 |
hxxp://37.232.183.1:58602/i | online | malware_download | 2026-06-22 |
hxxp://2.25.179.221/bot.x86_64 | offline | malware_download | 2026-06-22 |
hxxp://60.23.192.63:55858/i | online | malware_download | 2026-06-22 |
hxxp://60.23.192.63:55858/bin.sh | online | malware_download | 2026-06-22 |
hxxp://icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev/cqehd | online | malware_download | 2026-06-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["125.40.11.184", "37.232.183.1", "60.23.192.63", "icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev", "182.112.43.144"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["125.40.11.184", "37.232.183.1", "60.23.192.63", "icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev", "182.112.43.144"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System update or patch deployment via a known enterprise tool (e.g., Microsoft Update, SCCM, or Ansible) that includes a URL to a legitimate download server.
Filter/Exclusion: Exclude URLs that match known enterprise update servers (e.g., *.update.microsoft.com, *.download.microsoft.com, or internal patch servers).
Scenario: Scheduled backup job that downloads a backup archive from an internal file server using a script (e.g., rsync, robocopy, or scp).
Filter/Exclusion: Exclude URLs that match internal file server paths (e.g., \\fileserver\backup\, //internal-server/backup/).
Scenario: Admin task to download a security tool or malware analysis sandbox (e.g., Cuckoo Sandbox, VirusTotal, or Malwarebytes) from a trusted external source.
Filter/Exclusion: Exclude URLs that match known security tool domains (e.g., malwarebytes.com, virustotal.com, cuckoo.net).
Scenario: Log collection or monitoring tool (e.g., Splunk, ELK, or Graylog) that periodically downloads configuration files or logs from a remote server.
Filter/Exclusion: Exclude URLs that match known log management service endpoints (e.g., splunk.com, graylog.org, or internal log servers).
Scenario: Automated testing or CI/CD pipeline (e.g., Jenkins, GitLab CI) that fetches dependencies or test artifacts from a public or internal artifact repository (e.g., Nexus, Artifactory).
Filter/Exclusion: Exclude URLs that match known CI/CD artifact repositories (e.g., nexus.example.com, artifactory.example.com, or maven.org).