The hypothesis is that the detected URLs are being used by adversaries to deploy CoinMiner malware, leveraging compromised or phishing vectors to execute malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential cryptocurrency mining attacks before they cause significant resource consumption or financial loss.
IOC Summary
Threat: CoinMiner Total URLs: 6 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://14.46.136.77/aarch64 | online | malware_download | 2026-05-18 |
hxxps://14.46.136.77/i686 | online | malware_download | 2026-05-18 |
hxxps://14.46.136.77/x86_64 | online | malware_download | 2026-05-18 |
hxxps://14.46.136.77/arm7 | online | malware_download | 2026-05-18 |
hxxps://14.46.136.77/clean | online | malware_download | 2026-05-18 |
hxxps://14.46.136.77/sh | online | malware_download | 2026-05-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: CoinMiner
let malicious_domains = dynamic(["14.46.136.77"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["14.46.136.77"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via URLhaus
Description: A system update or patch is downloaded from a URLhaus-listed domain, which is mistakenly flagged as CoinMiner.
Filter/Exclusion: Exclude URLs associated with known system update mechanisms (e.g., windowsupdate.microsoft.com, download.microsoft.com) or use a custom list of trusted update domains.
Scenario: Admin task using CoinMiner-related tools
Description: An administrator is performing a task that involves tools or scripts named after CoinMiner (e.g., coinminer.exe), which triggers the rule.
Filter/Exclusion: Exclude processes initiated by admin accounts with elevated privileges (e.g., Administrator, SYSTEM) or use a process name whitelist for known administrative tools.
Scenario: Scheduled job for malware analysis
Description: A security team’s scheduled job downloads a CoinMiner sample from a sandbox environment for analysis, triggering the rule.
Filter/Exclusion: Exclude URLs that match sandbox or analysis environments (e.g., sandboxed.io, malwareanalysis.com) or use a custom field for “sandbox” in the URL.
Scenario: Legitimate cloud storage access
Description: A user accesses a cloud storage bucket (e.g., AWS S3, Azure Blob Storage) that contains CoinMiner-related files for forensic purposes.
Filter/Exclusion: Exclude URLs that include cloud storage service endpoints (e.g., s3.amazonaws.com, blob.core.windows.net) or use a custom field for “cloud storage access”.
Scenario: Internal tool using CoinMiner naming convention
Description: An internal tool or script (e.g., coinminer-checker.py) is used for internal monitoring and is falsely flagged by the rule.
Filter/Exclusion: Exclude processes or URLs that match