The hunt hypothesis detects adversaries using Mozi malware by accessing known malicious URLs from URLhaus, which are associated with command and control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromises early in the attack lifecycle.
IOC Summary
Threat: Mozi Total URLs: 10 Active URLs: 9
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.59.39.40:40460/i | online | malware_download | 2026-06-03 |
hxxp://110.36.30.112:39559/i | online | malware_download | 2026-06-03 |
hxxp://110.36.30.112:39559/bin.sh | online | malware_download | 2026-06-03 |
hxxp://123.12.232.53:41717/i | online | malware_download | 2026-06-03 |
hxxp://42.231.72.81:39305/i | online | malware_download | 2026-06-03 |
hxxp://119.186.206.114:60002/i | online | malware_download | 2026-06-03 |
hxxp://219.156.19.188:60725/i | online | malware_download | 2026-06-03 |
hxxp://219.156.19.188:60725/bin.sh | online | malware_download | 2026-06-03 |
hxxp://112.248.107.27:53324/i | online | malware_download | 2026-06-03 |
hxxp://42.227.200.166:45962/bin.sh | offline | malware_download | 2026-06-03 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["112.248.107.27", "119.186.206.114", "42.231.72.81", "110.36.30.112", "115.59.39.40", "219.156.19.188", "123.12.232.53"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["112.248.107.27", "119.186.206.114", "42.231.72.81", "110.36.30.112", "115.59.39.40", "219.156.19.188", "123.12.232.53"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URLhaus URL used for threat intelligence sharing
Description: A security team member manually inputs a URL from URLhaus into a threat intelligence platform for analysis.
Filter/Exclusion: Exclude URLs that are manually entered into threat intel platforms by users with “Threat Intelligence Analyst” role or those that match known URLhaus hashes.
Scenario: Scheduled job for malware sample submission to URLhaus
Description: A scheduled job automatically submits malware samples to URLhaus for analysis, which includes generating and accessing URLs.
Filter/Exclusion: Exclude URLs originating from scheduled jobs with names like “submit_to_urlhaus.sh” or “malware_submission_job” running under a service account.
Scenario: Admin task to update URLhaus database
Description: An admin runs a script to fetch and update the URLhaus database, which includes downloading and accessing URLs.
Filter/Exclusion: Exclude URLs accessed by processes running under the “admin” or “urlhaus_update” service account, or those matching known URLhaus API endpoints.
Scenario: User accessing URLhaus for research purposes
Description: A security researcher accesses URLhaus through a browser or API to study known malicious URLs for educational or investigative purposes.
Filter/Exclusion: Exclude URLs accessed by users with “Researcher” or “Analyst” roles, or those that match known URLhaus research endpoints.
Scenario: Log management tool accessing URLhaus for correlation
Description: A log management tool like Splunk or ELK accesses URLhaus to correlate logs with known malicious URLs.
Filter/Exclusion: Exclude URLs accessed by tools like splunk or logstash that are configured to query URLhaus for correlation purposes.