The hypothesis is that the detected URLs are associated with Mirai malware, which is used to compromise IoT devices and launch DDoS attacks. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential botnet activity and network compromise.
IOC Summary
Threat: mirai Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.37.111.178:46833/i | online | malware_download | 2026-04-20 |
hxxp://110.37.111.178:46833/bin.sh | online | malware_download | 2026-04-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["110.37.111.178"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.37.111.178"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Mirai-based exploit detection tool by uploading a known malicious URL for analysis.
Filter/Exclusion: Exclude URLs that match the internal testing environment or are tagged with test or sandbox.
Scenario: A scheduled job runs a network scan using Nmap with a custom script that includes a Mirai-related URL for vulnerability assessment.
Filter/Exclusion: Exclude URLs that originate from the Nmap scan tool or are part of a predefined list of test URLs used in security assessments.
Scenario: A Windows Update task includes a URL pointing to a Mirai-related payload for internal research or red teaming purposes.
Filter/Exclusion: Exclude URLs that are part of the Windows Update service or are tagged with research or redteam.
Scenario: A PowerShell script used by the IT department to automate system hardening includes a URL to a Mirai-related resource for educational purposes.
Filter/Exclusion: Exclude URLs that are associated with PowerShell scripts or are tagged with educational or training.
Scenario: A SIEM log aggregation job pulls logs from a third-party security tool that includes a Mirai-related URL in its output for correlation purposes.
Filter/Exclusion: Exclude URLs that are part of the SIEM log processing pipeline or are tagged with log or correlation.