Adversaries may be using the IP 93-115-172-57 to host or redirect to malicious URLs as part of a campaign to compromise endpoints. SOC teams should proactively hunt for this IP in Azure Sentinel to identify potential command and control or data exfiltration activities early.
IOC Summary
Threat: 93-115-172-57 Total URLs: 7 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://93.115.172.57/1.exe | online | malware_download | 2026-05-19 |
hxxp://93.115.172.57/2.exe | online | malware_download | 2026-05-19 |
hxxp://93.115.172.57/boss.exe | online | malware_download | 2026-05-19 |
hxxp://93.115.172.57/test.exe | online | malware_download | 2026-05-19 |
hxxp://93.115.172.57/Build_protected.exe | online | malware_download | 2026-05-19 |
hxxp://93.115.172.57/verification.vrf | offline | malware_download | 2026-05-19 |
hxxp://93.115.172.57/test.tst | offline | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 93-115-172-57
let malicious_domains = dynamic(["93.115.172.57"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["93.115.172.57"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patching job using a known IP
Description: A scheduled system update or patching job (e.g., using Windows Update, Ansible, or Chef) may connect to a server at IP 93-115-172-57 as part of a legitimate software distribution process.
Filter/Exclusion: Exclude traffic originating from known patch management tools or jobs, e.g., process.name = "wusa.exe" or process.name = "ansible-playbook".
Scenario: Internal network discovery or inventory scan
Description: A network discovery tool (e.g., Nmap, Masscan, or SolarWinds Network Configuration Manager) may scan the IP 93-115-172-57 as part of a routine internal network inventory.
Filter/Exclusion: Exclude traffic from network discovery tools using process.name = "nmap.exe" or process.name = "masscan", or filter by source IP ranges used for internal scanning.
Scenario: Legitimate API calls to a third-party service
Description: A legitimate application (e.g., Postman, curl, or a custom API client) may make requests to a service hosted on IP 93-115-172-57 for data retrieval or integration purposes.
Filter/Exclusion: Exclude traffic from known API clients or applications using process.name = "postman.exe" or process.name = "curl".
Scenario: Admin task or remote management session
Description: An administrator may use a remote management tool (e.g., Remote Desktop, TeamViewer, or LogMeIn) that connects to a server at IP 93-115-172-57 for