Hunt package for 32 malicious URLs tagged as ACRStealer
Threat: ACRStealer Total URLs: 32 Active URLs: 13
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://4wm0.woodflo.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://unitmed.goodwork.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://checkcipher.besthire.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://serv4base.veloxunit.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://edge3dist.veloxunit.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://node2flow.veloxunit.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://unit1meta.veloxunit.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://main4point.nuxbase.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://data3sync.nuxbase.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://gate2proxy.nuxbase.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://web1infra.nuxbase.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://sat4link.termocenter.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://rock3core.termocenter.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://base2steel.termocenter.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://moon1orbit.termocenter.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://open4space.altasync.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://vast3field.altasync.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://zone2area.altasync.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://rim1outer.altasync.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://path4gate.protovoda.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://view3sync.protovoda.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://scan2point.protovoda.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://room1dark.protovoda.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://sync4vision.luxalabs.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://ghost3node.luxalabs.in.net/verification.google | offline | malware_download | 2026-03-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ACRStealer
let malicious_domains = dynamic(["edge3dist.veloxunit.in.net", "gate2proxy.nuxbase.in.net", "room1dark.protovoda.in.net", "unitmed.goodwork.in.net", "link4access.optigrid.in.net", "main4point.nuxbase.in.net", "node2flow.veloxunit.in.net", "data3sync.nuxbase.in.net", "web1infra.nuxbase.in.net", "serv4base.veloxunit.in.net", "4wm0.woodflo.in.net", "unit1meta.veloxunit.in.net", "checkcipher.besthire.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["edge3dist.veloxunit.in.net", "gate2proxy.nuxbase.in.net", "room1dark.protovoda.in.net", "unitmed.goodwork.in.net", "link4access.optigrid.in.net", "main4point.nuxbase.in.net", "node2flow.veloxunit.in.net", "data3sync.nuxbase.in.net", "web1infra.nuxbase.in.net", "serv4base.veloxunit.in.net", "4wm0.woodflo.in.net", "unit1meta.veloxunit.in.net", "checkcipher.besthire.in.net"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |