The hypothesis is that the detected URLs are associated with Mirai botnet infrastructure, used to compromise IoT devices and launch DDoS attacks. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential botnet command and control activity before it leads to large-scale network compromise.
IOC Summary
Threat: mirai Total URLs: 25 Active URLs: 25
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.37.87.233:45897/i | online | malware_download | 2026-05-17 |
hxxp://94.156.152.234/bins.sh | online | malware_download | 2026-05-17 |
hxxp://94.156.152.234/i386 | online | malware_download | 2026-05-17 |
hxxp://176.65.139.114/android_arm64 | online | malware_download | 2026-05-17 |
hxxp://94.156.152.234/x86 | online | malware_download | 2026-05-17 |
hxxp://94.156.152.234/mips | online | malware_download | 2026-05-17 |
hxxp://94.156.152.234/arm | online | malware_download | 2026-05-17 |
hxxp://94.156.152.234/arm64 | online | malware_download | 2026-05-17 |
hxxp://94.156.152.234/mipsle | online | malware_download | 2026-05-17 |
hxxp://94.156.152.234/android_arm64 | online | malware_download | 2026-05-17 |
hxxp://176.65.139.114/mipsle | online | malware_download | 2026-05-17 |
hxxp://176.65.139.114/x86 | online | malware_download | 2026-05-17 |
hxxp://176.65.139.114/amd64 | online | malware_download | 2026-05-17 |
hxxp://94.156.152.234/arm6 | online | malware_download | 2026-05-17 |
hxxp://176.65.139.114/android_arm | online | malware_download | 2026-05-17 |
hxxp://176.65.139.114/mips | online | malware_download | 2026-05-17 |
hxxp://176.65.139.114/arm6 | online | malware_download | 2026-05-17 |
hxxp://176.65.139.114/arm5 | online | malware_download | 2026-05-17 |
hxxp://94.156.152.234/arm5 | online | malware_download | 2026-05-17 |
hxxp://94.156.152.234/android_arm | online | malware_download | 2026-05-17 |
hxxp://176.65.139.114/arm64 | online | malware_download | 2026-05-17 |
hxxp://176.65.139.114/arm | online | malware_download | 2026-05-17 |
hxxp://94.156.152.234/amd64 | online | malware_download | 2026-05-17 |
hxxp://176.65.139.114/i386 | online | malware_download | 2026-05-17 |
hxxp://176.65.139.114/bins.sh | online | malware_download | 2026-05-17 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["94.156.152.234", "110.37.87.233", "176.65.139.114"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["94.156.152.234", "110.37.87.233", "176.65.139.114"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Mirai-based vulnerability scanner tool to validate its detection capabilities.
Filter/Exclusion: Exclude URLs that match the internal testing environment or are associated with known security testing tools (e.g., nmap, cisco-sa, vulnerability-scanner-*).
Scenario: A scheduled job runs a daily script to fetch and process Mirai-related threat intelligence feeds from URLhaus.
Filter/Exclusion: Exclude URLs that originate from internal threat intelligence sources or are tagged with urlhaus in the detection logic.
Scenario: A DevOps team is deploying a containerized application that includes a legitimate Mirai-based open-source project for network monitoring.
Filter/Exclusion: Exclude URLs that are part of the application’s dependency chain or are tagged with open-source or project-name-*.
Scenario: A security analyst is using a SIEM tool to correlate Mirai-related alerts with internal logs, and the tool is generating URLs as part of its correlation process.
Filter/Exclusion: Exclude URLs that are generated by the SIEM tool or are associated with internal log processing systems (e.g., splunk, logstash, siem-*).
Scenario: A backup and restore process includes URLs from a Mirai-related configuration file that was mistakenly included in the backup archive.
Filter/Exclusion: Exclude URLs that are part of backup archives or are tagged with backup, restore, or archive-*.