The hypothesis is that the detected URLs are associated with Mirai malware, which is used to compromise IoT devices and launch DDoS attacks. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential botnet activity and network compromise.
IOC Summary
Threat: mirai Total URLs: 8 Active URLs: 7
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://77.247.88.82:44690/i | online | malware_download | 2026-05-28 |
hxxp://146.19.213.198:8080/vulcan_mips | offline | malware_download | 2026-05-28 |
hxxp://146.19.213.198:8080/vulcan_386 | online | malware_download | 2026-05-28 |
hxxp://146.19.213.198:8080/vulcan_arm7 | online | malware_download | 2026-05-28 |
hxxp://146.19.213.198:8080/vulcan_arm5 | online | malware_download | 2026-05-28 |
hxxp://146.19.213.198:8080/vulcan_amd64 | online | malware_download | 2026-05-28 |
hxxp://146.19.213.198:8080/vulcan_mipsle | online | malware_download | 2026-05-28 |
hxxp://146.19.213.198:8080/vulcan_arm64 | online | malware_download | 2026-05-28 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["77.247.88.82", "146.19.213.198"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["77.247.88.82", "146.19.213.198"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Mirai-based exploit detection tool by uploading a known benign payload for analysis.
Filter/Exclusion: Exclude URLs containing the string test_payload or sandbox_analysis in the URL path or query parameters.
Scenario: A scheduled job runs a script that downloads a Mirai-related research paper or whitepaper from a legitimate academic or security research website.
Filter/Exclusion: Exclude URLs from domains like *.mit.edu, *.researchgate.net, or *.arxiv.org that are known to host security research content.
Scenario: A DevOps team uses a CI/CD pipeline to deploy a containerized application, and the deployment script includes a URL to a public Docker registry that is flagged by URLhaus as Mirai-related.
Filter/Exclusion: Exclude URLs that match the pattern docker.io/library/ or registry.hub.docker.com/ and are part of a known CI/CD toolchain (e.g., Jenkins, GitLab CI).
Scenario: An IT admin is performing a system cleanup and uses a third-party tool to scan for malware, which includes a Mirai-related URL in its database for reference.
Filter/Exclusion: Exclude URLs that are part of a known malware reference database (e.g., VirusTotal, AlienVault OTX) and are used for signature matching.
Scenario: A security team is conducting a red team exercise and uses a Mirai-based payload as part of a controlled penetration test.
Filter/Exclusion: Exclude URLs that are part of a red team exercise or lab environment, identified by a specific lab domain (e.g., *.lab.example.com) or a custom tag in the URL.