The hypothesis is that an adversary is using malicious URLs associated with the IP 102-220-160-47 to exfiltrate data or deploy malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise before it leads to data loss or system infiltration.
IOC Summary
Threat: 102-220-160-47 Total URLs: 10 Active URLs: 10
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://102.220.160.47/arm6 | online | malware_download | 2026-05-19 |
hxxp://102.220.160.47/sh4 | online | malware_download | 2026-05-19 |
hxxp://102.220.160.47/arm7 | online | malware_download | 2026-05-19 |
hxxp://102.220.160.47/mpsl | online | malware_download | 2026-05-19 |
hxxp://102.220.160.47/arm5 | online | malware_download | 2026-05-19 |
hxxp://102.220.160.47/x86_64 | online | malware_download | 2026-05-19 |
hxxp://102.220.160.47/ppc | online | malware_download | 2026-05-19 |
hxxp://102.220.160.47/mips | online | malware_download | 2026-05-19 |
hxxp://102.220.160.47/arm | online | malware_download | 2026-05-19 |
hxxp://102.220.160.47/x86 | online | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 102-220-160-47
let malicious_domains = dynamic(["102.220.160.47"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["102.220.160.47"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via URLhaus IP
Description: A system update or patch is being downloaded from a server with the IP 102-220-160-47, which is known to host legitimate software updates.
Filter/Exclusion: process.parent_process_name == "Windows Update" or process.command_line contains "wusa.exe"
Scenario: Scheduled backup job using a known IP
Description: A scheduled backup job is transferring data to a remote server using the IP 102-220-160-47, which is part of the company’s backup infrastructure.
Filter/Exclusion: process.command_line contains "backup.exe" or process.parent_process_name == "Task Scheduler"
Scenario: Admin task using a legitimate tool
Description: An administrator is using a legitimate tool like PowerShell or curl to fetch a script or configuration file from the IP 102-220-160-47.
Filter/Exclusion: process.user == "admin" or process.command_line contains "powershell.exe -Command"
Scenario: Internal monitoring tool accessing external URLhaus feed
Description: A security tool like OSSEC or Splunk is querying a URLhaus feed hosted on the IP 102-220-160-47 for threat intelligence.
Filter/Exclusion: process.command_line contains "ossec" or "splunk"
Scenario: Legitimate software distribution via internal proxy
Description: A company’s internal proxy server is routing traffic to the IP 102-220-160-47 to fetch software from a trusted source.
*