The hypothesis is that the detected malicious URLs are used by adversaries to download malware onto compromised systems, enabling further exploitation and data exfiltration. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they cause significant damage.
IOC Summary
Threat: malware_download Total URLs: 10 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://0000153.0000255.0000011.0000125/httpswww.tcs.comwhat-we-doindustriespublic-servicessolutiontcs-sovereignsecure-cloudness.php | offline | malware_download | 2026-05-26 |
hxxp://172.245.209.142/img/img_193010.png | online | malware_download | 2026-05-26 |
hxxps://primultesst.infinityfreeapp.com/img_082539.png | online | malware_download | 2026-05-26 |
hxxps://servercommunicationapiglobal.yzz.me/img_181401.png | offline | malware_download | 2026-05-26 |
hxxp://107.173.9.85/70/img_225048.png | online | malware_download | 2026-05-26 |
hxxp://107.173.9.85/70/giveubestthingsevermadefrome.js | online | malware_download | 2026-05-26 |
hxxps://servercommunicationapiglobal.yzz.me/MSI_175111.png | online | malware_download | 2026-05-26 |
hxxp://107.173.9.85/httpswww.tcs.comwhat-we-doindustriespublic-servicessolutiontcs-sovereignsecure-cloudness.php | offline | malware_download | 2026-05-26 |
hxxps://jakos.ovh/Wm7gzv | offline | malware_download | 2026-05-26 |
hxxp://107.173.9.85/70/ecc/enitrethingsgoodformybesthings.hta | online | malware_download | 2026-05-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["primultesst.infinityfreeapp.com", "servercommunicationapiglobal.yzz.me", "107.173.9.85", "172.245.209.142"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["primultesst.infinityfreeapp.com", "servercommunicationapiglobal.yzz.me", "107.173.9.85", "172.245.209.142"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security test or penetration testing exercise.
Filter/Exclusion: Exclude URLs that match known penetration testing domains (e.g., vulnweb.com, exploit-db.com) or use a custom list of approved test URLs.
Scenario: A scheduled job is downloading updates from a legitimate internal repository that is mistakenly tagged as malicious.
Filter/Exclusion: Exclude URLs that match internal IP ranges or internal domain names (e.g., internal-repo.corp.example.com).
Scenario: A user is accessing a phishing simulation URL hosted by a security training platform (e.g., KnowBe4).
Filter/Exclusion: Exclude URLs containing known training platform domains (e.g., knowbe4.com, phishsim.net) or use a custom list of allowed training URLs.
Scenario: A legitimate software update is being downloaded from a trusted vendor (e.g., Microsoft, Adobe) but is falsely flagged due to a similarity with a known malicious URL.
Filter/Exclusion: Exclude URLs that match known vendor update domains (e.g., download.microsoft.com, adobe.com) or use a whitelisted list of trusted update URLs.
Scenario: A DevOps pipeline is pulling a dependency from a public package registry (e.g., npm, PyPI) that is flagged as malicious due to a false positive.
Filter/Exclusion: Exclude URLs that match known package registry domains (e.g., npmjs.org, pypi.org) or use a whitelisted list of approved package sources.