URLhaus: malware_download Malicious URLs

Hunt Hypothesis

The hypothesis is that an adversary is using malicious URLs from URLhaus to download malware onto compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware infections before they spread within the network.

IOC Summary

Threat: malware_download Total URLs: 5 Active URLs: 4

URL	Status	Threat	Date Added
`hxxp://171.38.87.0:47753/i`	online	malware_download	2026-05-12
`hxxp://60.21.174.140:51141/i`	online	malware_download	2026-05-12
`hxxp://175.173.84.53:49461/i`	offline	malware_download	2026-05-12
`hxxp://175.173.84.53:49461/bin.sh`	online	malware_download	2026-05-12
`hxxp://61.176.127.30:40331/bin.sh`	online	malware_download	2026-05-12

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["171.38.87.0", "175.173.84.53", "60.21.174.140", "61.176.127.30"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["171.38.87.0", "175.173.84.53", "60.21.174.140", "61.176.127.30"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: Scheduled System Update Job
Description: A legitimate scheduled job downloads a known malware URL as part of a system update or patching process.
Filter/Exclusion: Exclude URLs matching known update servers (e.g., updates.microsoft.com, download.microsoft.com, nginx.org) or use a filter like:
```
(url contains "updates.microsoft.com" or url contains "nginx.org")
```
Scenario: Admin Access Token Renewal
Description: An admin manually renews an access token via a script or API call that uses a URL flagged as malicious.
Filter/Exclusion: Exclude URLs containing /token/renew or /api/v1/auth/renew and filter by user agent or source IP:
```
(url contains "/token/renew" or url contains "/api/v1/auth/renew") and (user_agent contains "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36")
```
Scenario: Log Management Tool Data Ingestion
Description: A log management tool like Splunk or ELK Stack ingests data from a remote server using a URL that is falsely flagged.
Filter/Exclusion: Exclude URLs containing splunkforwarder, logstash, or elasticsearch and filter by source IP:
```
(url contains "splunkforwarder" or url contains "logstash" or url contains "elasticsearch") and (src_ip in [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16])
```
Scenario: Cloud Backup Service Sync