The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, bypassing traditional defenses. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 8 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.39.226.150:48037/bin.sh | online | malware_download | 2026-05-20 |
hxxp://60.23.239.44:50687/i | offline | malware_download | 2026-05-20 |
hxxp://60.23.239.44:50687/bin.sh | offline | malware_download | 2026-05-20 |
hxxp://123.188.81.168:60658/bin.sh | online | malware_download | 2026-05-20 |
hxxp://42.3.3.190:59677/i | online | malware_download | 2026-05-20 |
hxxp://110.37.53.25:41326/i | online | malware_download | 2026-05-20 |
hxxp://42.3.3.190:59677/bin.sh | online | malware_download | 2026-05-20 |
hxxp://110.37.53.25:41326/bin.sh | online | malware_download | 2026-05-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["42.3.3.190", "110.37.53.25", "110.39.226.150", "123.188.81.168"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.3.3.190", "110.37.53.25", "110.39.226.150", "123.188.81.168"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security tool update or patch.
Filter/Exclusion: Exclude URLs that match known security tool update domains (e.g., updates.microsoft.com, download.mozilla.org).
Scenario: A scheduled job is executing a legitimate script that downloads a file from a URL tagged as malicious by URLhaus, but the file is benign and part of a routine maintenance task.
Filter/Exclusion: Exclude URLs that match internal or known benign download domains (e.g., internal-repo.company.com, artifactory.company.net).
Scenario: An employee is using a legitimate file-sharing tool (e.g., Google Drive, Dropbox) to transfer files between departments, and the shared link is flagged as malicious.
Filter/Exclusion: Exclude URLs that contain known file-sharing service domains (e.g., drive.google.com, dropbox.com) or are associated with internal file-sharing platforms.
Scenario: A security tool (e.g., CrowdStrike, SentinelOne) is performing a signature update and downloads a file from a URL that is mistakenly flagged as malicious.
Filter/Exclusion: Exclude URLs that match known security vendor update endpoints (e.g., crowdstrike.com, sentinelone.com).
Scenario: A developer is using a CI/CD pipeline (e.g., Jenkins, GitLab CI) to fetch dependencies from a public repository (e.g., GitHub, npm), and the repository URL is incorrectly flagged as malicious.
Filter/Exclusion: Exclude URLs that match known CI/CD or package management service domains (e.g., github.com, npmjs.org, registry.npmjs.org).