The hypothesis is that adversaries are using known malicious URLs from URLhaus to download malware into compromised environments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware infections before they spread within the network.
IOC Summary
Threat: malware_download Total URLs: 23 Active URLs: 13
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://118.34.109.121:55534/i | online | malware_download | 2026-06-08 |
hxxps://vrdccbank.com/Favour1.exe | online | malware_download | 2026-06-08 |
hxxp://185.29.10.125/zHcAHnmc228.bin | online | malware_download | 2026-06-08 |
hxxp://185.29.10.125/nDgivqAAjMmygNYgNplciP95.bin | online | malware_download | 2026-06-08 |
hxxp://185.29.10.125/JnyxvLpARPmw60.bin | online | malware_download | 2026-06-08 |
hxxp://185.29.10.125/wjtfTSA232.bin | online | malware_download | 2026-06-08 |
hxxp://185.29.10.125/RqPFF187.bin | online | malware_download | 2026-06-08 |
hxxp://185.29.10.125/ThJlITBRIDCKzZO222.bin | online | malware_download | 2026-06-08 |
hxxp://185.29.10.125/CTRQllfxs160.bin | online | malware_download | 2026-06-08 |
hxxp://185.29.10.125/DISioRFsKNBVqpXJgO26.bin | online | malware_download | 2026-06-08 |
hxxp://185.29.10.125/MrbhdJjpcOenoOa195.bin | online | malware_download | 2026-06-08 |
hxxp://185.29.10.125/jgjcsQLTH184.bin | online | malware_download | 2026-06-08 |
hxxps://paste.sensio.no/BirdsKnocked/ | offline | malware_download | 2026-06-08 |
hxxps://paste.sensio.no/RovingRandy/ | offline | malware_download | 2026-06-08 |
hxxps://paste.sensio.no/TulipsCalling | offline | malware_download | 2026-06-08 |
hxxps://paste.sensio.no/CentralTippin | offline | malware_download | 2026-06-08 |
hxxps://paste.sensio.no/SeymourLeagues | offline | malware_download | 2026-06-08 |
hxxps://paste.sensio.no/ArlenDenial | offline | malware_download | 2026-06-08 |
hxxps://paste.sensio.no/JavierGigolo | offline | malware_download | 2026-06-08 |
hxxps://paste.sensio.no/ApartAirways | offline | malware_download | 2026-06-08 |
hxxps://paste.sensio.no/CitationCallers | offline | malware_download | 2026-06-08 |
hxxps://www.websenorllc.com/wordpress/IkcdoAf.txt | online | malware_download | 2026-06-08 |
hxxps://www.websenorllc.com/wordpress/jrdpkhg.txt | offline | malware_download | 2026-06-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["vrdccbank.com", "185.29.10.125", "118.34.109.121", "www.websenorllc.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["vrdccbank.com", "185.29.10.125", "118.34.109.121", "www.websenorllc.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL to test a security tool or simulate an attack.
Filter/Exclusion: Exclude URLs that match known testing environments or internal test domains (e.g., *.testmalware.com, *.sandbox.example.com).
Scenario: A scheduled job is configured to fetch updates from a legitimate repository, such as a software update server or a configuration management tool (e.g., Ansible, Puppet).
Filter/Exclusion: Exclude URLs that match known update servers (e.g., *.updates.example.com, *.repo.example.com, *.artifactory.example.com).
Scenario: A user is accessing a phishing simulation link deployed by the security team to train employees.
Filter/Exclusion: Exclude URLs that match internal phishing training domains (e.g., *.phishsim.example.com, *.training.example.com).
Scenario: A legitimate software update or patch is being downloaded from a trusted vendor (e.g., Microsoft, Adobe, or a custom internal repository).
Filter/Exclusion: Exclude URLs that match known vendor update domains (e.g., *.microsoft.com, *.adobe.com, *.internal-repo.example.com).
Scenario: A developer is using a tool like curl or wget to manually download a dependency or artifact from a public package registry (e.g., PyPI, NPM, or Docker Hub).
Filter/Exclusion: Exclude URLs that match known package registry domains (e.g., *.pypi.org, *.npmjs.com, *.docker.io).