URLhaus: c2-monitor-auto Malicious URLs

Hunt Hypothesis

The detection identifies potential command and control (C2) activity by monitoring URLs tagged as malicious in URLhaus, which are likely used by adversaries to exfiltrate data or issue commands. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage malware communication and prevent further compromise.

IOC Summary

Threat: c2-monitor-auto Total URLs: 39 Active URLs: 0

URL	Status	Threat	Date Added
`hxxp://62.60.226.140/files/6099399783/RvcTx33.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/8176913892/kia910K.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/6099399783/ZNA6QZG.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/8176913892/6tTNsh7.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/6099399783/kipKIFh.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/8176913892/3hDyCii.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/6099399783/aytWblz.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/8176913892/k9yGJLp.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/6099399783/UIiIHFd.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/8176913892/DBRMzfk.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/8176913892/0Yktjef.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/8176913892/eWSuXOX.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/6099399783/bWjpSD5.bat`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/8176913892/9LrZbLJ.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/6099399783/eXIdGXS.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/6099399783/9TYlaUm.msi`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/6099399783/lwJjEiN.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/8176913892/6tTNsh7.bat`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/715644737/XV72Alj.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/6099399783/brOT051.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/6099399783/EFgBS2q.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/8176913892/dpslke1.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/6099399783/qgEunem.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/6099399783/NmwYFWw.exe`	offline	malware_download	2026-05-10
`hxxp://62.60.226.140/files/8176913892/1x8Ty42.exe`	offline	malware_download	2026-05-10

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: c2-monitor-auto
let malicious_domains = dynamic(["62.60.226.140"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["62.60.226.140"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: Legitimate system update or patching process using a URLhaus-listed URL
Filter/Exclusion: Exclude URLs associated with known patching or update mechanisms (e.g., windowsupdate.microsoft.com, updates.microsoft.com) or use a filter like:
```
(url contains "windowsupdate.microsoft.com" or url contains "updates.microsoft.com")
```
Scenario: Scheduled backup job downloading a script from a trusted internal repository
Filter/Exclusion: Exclude URLs from internal repositories (e.g., internal-repo.company.com) or use a filter like:
```
(url contains "internal-repo.company.com" or url contains "artifactory.company.com")
```
Scenario: Admin performing a remote PowerShell script execution for system diagnostics
Filter/Exclusion: Exclude PowerShell scripts executed by admin accounts during routine maintenance (e.g., powershell.exe -Command) or use a filter like:
```
(process.name == "powershell.exe" and process.user == "admin")
```
Scenario: Automated CI/CD pipeline fetching dependencies from a public package registry
Filter/Exclusion: Exclude URLs from trusted package managers (e.g., npmjs.org, pypi.org) or use a filter like:
```
(url contains "npmjs.org" or url contains "pypi.org" or url contains "maven.org")
```
Scenario: User accessing a phishing training page hosted on a secure internal site
Filter/Exclusion: Exclude URLs from internal security training platforms (e.g., phishing-training.company.com) or use a filter like:
```
(url contains "phishing-training.company.com" or url contains "security-training.company.com")
```