The hunt hypothesis detects adversaries using Mozi malware distribution URLs to compromise endpoints and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread within the network.
IOC Summary
Threat: Mozi Total URLs: 14 Active URLs: 12
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://219.156.57.232:37983/bin.sh | online | malware_download | 2026-05-24 |
hxxp://110.39.238.26:39926/bin.sh | online | malware_download | 2026-05-24 |
hxxp://219.157.218.100:47777/i | online | malware_download | 2026-05-24 |
hxxp://219.157.218.100:47777/bin.sh | online | malware_download | 2026-05-24 |
hxxp://27.219.117.196:36589/i | online | malware_download | 2026-05-24 |
hxxp://125.45.9.86:48712/i | offline | malware_download | 2026-05-24 |
hxxp://27.219.117.196:36589/bin.sh | online | malware_download | 2026-05-24 |
hxxp://125.45.9.86:48712/bin.sh | offline | malware_download | 2026-05-24 |
hxxp://222.139.91.177:48286/i | online | malware_download | 2026-05-24 |
hxxp://221.15.189.197:58871/i | online | malware_download | 2026-05-24 |
hxxp://222.139.91.177:48286/bin.sh | online | malware_download | 2026-05-24 |
hxxp://61.54.253.107:44366/i | online | malware_download | 2026-05-24 |
hxxp://221.15.189.197:58871/bin.sh | online | malware_download | 2026-05-24 |
hxxp://61.54.253.107:44366/bin.sh | online | malware_download | 2026-05-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["219.157.218.100", "61.54.253.107", "219.156.57.232", "27.219.117.196", "221.15.189.197", "110.39.238.26", "222.139.91.177"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["219.157.218.100", "61.54.253.107", "219.156.57.232", "27.219.117.196", "221.15.189.197", "110.39.238.26", "222.139.91.177"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URLhaus URL used in threat intelligence sharing
Description: A security team manually shares a URL from URLhaus as part of an internal threat intelligence update.
Filter/Exclusion: Exclude URLs that are manually added to a trusted threat intelligence list (e.g., urlhaus_tlp_white or trusted_intel_urls).
Scenario: Scheduled job for malware sample analysis
Description: A scheduled job downloads a malware sample from a known URLhaus entry to analyze in a sandbox environment.
Filter/Exclusion: Exclude URLs associated with automated analysis tools like Cuckoo Sandbox or Joe Sandbox (e.g., job_type = "sandbox_analysis").
Scenario: Admin task to update endpoint protection definitions
Description: An admin updates endpoint protection definitions using a URL from URLhaus that is part of a legitimate signature update.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., url contains "update.microsoft.com" or url contains "malwarebytes.com").
Scenario: User accessing a phishing page for training purposes
Description: A security team sets up a phishing page using a URL from URLhaus for employee training.
Filter/Exclusion: Exclude URLs that are part of a known training environment (e.g., url contains "phishing-training.example.com" or source = "security-training").
Scenario: Internal tool for malware repository access
Description: An internal tool used by the SOC to access a malware repository includes a URL from URLhaus as part of its configuration.
Filter/Exclusion: Exclude URLs that are part of internal tools or repositories (e.g., url contains "internal-malware-repo.example.com" or tool_name = "internal_malware_repo").