← Back to SOC feed Coverage →

URLhaus: mirai Malicious URLs

ioc-hunt HIGH URLhaus
CommonSecurityLogDnsEvents
iocurlhaus
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at URLhaus →
Retrieved: 2026-03-19T03:46:59Z · Confidence: medium

Hunt Hypothesis

Hunt package for 2 malicious URLs tagged as mirai

IOC Summary

Threat: mirai Total URLs: 2 Active URLs: 2

URLStatusThreatDate Added
hxxp://77.247.88.72:46687/bin.shonlinemalware_download2026-03-19
hxxp://110.37.99.117:41152/bin.shonlinemalware_download2026-03-19

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["110.37.99.117", "77.247.88.72"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.37.99.117", "77.247.88.72"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled
DnsEventsEnsure this data connector is enabled

References

Original source: https://urlhaus.abuse.ch/