The hypothesis is that the detected URLs are associated with the Mozi malware, which is used to deliver malicious payloads and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of endpoints and networks.
IOC Summary
Threat: Mozi Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.58.173.24:59650/bin.sh | online | malware_download | 2026-05-29 |
hxxp://110.36.0.157:59018/bin.sh | online | malware_download | 2026-05-29 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["110.36.0.157", "115.58.173.24"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.36.0.157", "115.58.173.24"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URLhaus URL used in threat intelligence sharing
Description: A security team manually shares a URLhaus entry containing a Mozi URL as part of a threat intelligence update.
Filter/Exclusion: Exclude URLs originating from known threat intelligence platforms (e.g., source == "URLhaus") or filter by user/group that performs threat intelligence sharing.
Scenario: Scheduled job for malware sample analysis
Description: A scheduled job runs a malware analysis tool (e.g., Cuckoo Sandbox) that downloads a Mozi sample from a URLhaus entry for static analysis.
Filter/Exclusion: Exclude URLs associated with malware analysis tools (e.g., process.name == "cuckoo" or process.name == "yara") or filter by process that runs scheduled analysis jobs.
Scenario: Admin task for system cleanup using a known malicious URL
Description: An admin uses a known malicious URL from URLhaus to remove a persistent threat from a system (e.g., using a tool like Malwarebytes or Bitdefender).
Filter/Exclusion: Exclude URLs accessed by administrative tools (e.g., process.name == "malwarebytes") or filter by user with admin privileges (e.g., user.name == "admin").
Scenario: Legitimate phishing simulation using Mozi URLs
Description: A security team runs a phishing simulation using a Mozi URL from URLhaus to test employee awareness.
Filter/Exclusion: Exclude URLs associated with phishing simulation tools (e.g., process.name == "phishsim" or process.name == "simscape") or filter by user/group responsible for security training.
Scenario: Automated IOC import from URLhaus into SIEM
Description: A SIEM system automatically imports IOC data from URLhaus, including