The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, bypassing traditional defenses. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 7 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.49.78.11:49499/bin.sh | offline | malware_download | 2026-05-07 |
hxxp://119.115.119.45:53741/i | online | malware_download | 2026-05-07 |
hxxp://61.137.154.63:59794/i | online | malware_download | 2026-05-07 |
hxxp://85.130.235.5:44625/i | offline | malware_download | 2026-05-07 |
hxxp://59.96.136.163:59229/i | offline | malware_download | 2026-05-07 |
hxxp://42.232.230.42:45154/bin.sh | offline | malware_download | 2026-05-07 |
hxxp://123.13.105.180:54874/i | offline | malware_download | 2026-05-07 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["119.115.119.45", "61.137.154.63"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["119.115.119.45", "61.137.154.63"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security tool update.
Filter/Exclusion: Exclude URLs that match known security tool update domains (e.g., update.microsoft.com, download.symantec.com).
Scenario: A scheduled job is fetching malware samples from a sandboxing platform for analysis.
Filter/Exclusion: Exclude URLs that match sandboxing platforms like sandboxed.sinful.com or malwareanalysis.com.
Scenario: A user is accessing a phishing simulation URL from a security training platform.
Filter/Exclusion: Exclude URLs containing phishsim. or trainingportal. as part of a phishing awareness program.
Scenario: A backup job is transferring files over an internal SFTP server using a custom URL.
Filter/Exclusion: Exclude URLs that start with sftp://internal-ftp-server/ or match internal SFTP endpoints.
Scenario: A developer is testing a legitimate API endpoint that is temporarily flagged as malicious during a security scan.
Filter/Exclusion: Exclude URLs that match internal development endpoints (e.g., dev-api.examplecorp.com) or those with a test subdomain.