Adversaries may be using known malicious URLs to download malware into the network, leveraging compromised or phishing-based delivery methods. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 34 Active URLs: 13
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://185.29.9.115/lSmsJveL68.bin | offline | malware_download | 2026-05-19 |
hxxp://185.29.9.115/DHekiqXjOh156.bin | online | malware_download | 2026-05-19 |
hxxp://185.29.9.115/cipHP130.bin | online | malware_download | 2026-05-19 |
hxxp://185.29.9.115/nnZRHUcccKNMOu229.bin | online | malware_download | 2026-05-19 |
hxxp://185.29.9.115/lSmsJveL68.bin | online | malware_download | 2026-05-19 |
hxxp://185.29.9.115/uPBhPExQORmbMya151.bin | online | malware_download | 2026-05-19 |
hxxp://185.29.9.115/HIuwxijvTjCqqzXvxiYw186.bin | offline | malware_download | 2026-05-19 |
hxxp://185.29.9.115/nkMgqv11.bin | offline | malware_download | 2026-05-19 |
hxxp://185.29.9.115/NfTdhrhyxbvWEqPrZGBpNAFkY164.bin | offline | malware_download | 2026-05-19 |
hxxps://raw.githubusercontent.com/grere856-dot/rammm/refs/heads/main/shellcode.bin | online | malware_download | 2026-05-19 |
hxxps://drive.google.com/uc?export=download&id=1DLAZBGZUQC7wa5iBjxj_MRl1RTp6l8vS | online | malware_download | 2026-05-19 |
hxxps://raw.githubusercontent.com/grere856-dot/vigilant-waffle/refs/heads/main/shellcode.bin | online | malware_download | 2026-05-19 |
hxxps://github.com/grere856-dot/rammm/raw/refs/heads/main/shellcode.bin | online | malware_download | 2026-05-19 |
hxxps://github.com/grere856-dot/vigilant-waffle/raw/refs/heads/main/shellcode.bin | online | malware_download | 2026-05-19 |
hxxp://196.251.107.104/xvzpjyddlu/getdata.php | offline | malware_download | 2026-05-19 |
hxxps://desentupidora.pro.br/hidrosys/api/rump18th.png | online | malware_download | 2026-05-19 |
hxxp://losslvs.surf:7802/ | offline | malware_download | 2026-05-19 |
hxxps://github.com/grere856-dot/verbose-palm-tree/raw/refs/heads/main/file.vbproj | offline | malware_download | 2026-05-19 |
hxxp://id8796.cfd/uploads/oVnQ8PYJh2Xo.exe | offline | malware_download | 2026-05-19 |
hxxps://raw.githubusercontent.com/grere856-dot/verbose-palm-tree/refs/heads/main/file.vbproj | online | malware_download | 2026-05-19 |
hxxp://62.60.226.159/uploads/fKTFmBE3kQP9.exe | offline | malware_download | 2026-05-19 |
hxxp://62.60.226.159/uploads/af2dee0f20b847ea_310.php | offline | malware_download | 2026-05-19 |
hxxp://196.251.107.130/16b022998f754137b60a.php | offline | malware_download | 2026-05-19 |
hxxp://62.60.226.159/uploads/f6ab9f4da4ed74e4_301.php | offline | malware_download | 2026-05-19 |
hxxp://62.60.226.159/xvzpjyddlu/getdata.php | offline | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["185.29.9.115", "desentupidora.pro.br", "crescentegramas.com.br", "raw.githubusercontent.com", "github.com", "drive.google.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["185.29.9.115", "desentupidora.pro.br", "crescentegramas.com.br", "raw.githubusercontent.com", "github.com", "drive.google.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update via Microsoft Windows Update
Description: A legitimate system update process may trigger a URL download from Microsoft’s update servers.
Filter/Exclusion: Exclude URLs containing update.microsoft.com or windowsupdate.microsoft.com in the url field.
Scenario: Admin Task: Downloading Security Tools via PowerShell
Description: An administrator may use PowerShell to download a legitimate security tool (e.g., Microsoft Defender ATP or CrowdStrike Falcon) from a known safe URL.
Filter/Exclusion: Exclude URLs containing powershell.exe or download.microsoft.com in the url field, and filter by user admin or svc_account.
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) may download build artifacts from a private repository or a known secure URL.
Filter/Exclusion: Exclude URLs containing ci-cd, artifactory, or nexus in the url field, and filter by process name like jenkins.exe or gitlab-runner.
Scenario: Legitimate Software Deployment via SCCM
Description: A Software Center or SCCM (System Center Configuration Manager) deployment may trigger a download of a legitimate application from a company-approved URL.
Filter/Exclusion: Exclude URLs containing sccm, softwarecenter, or microsoft.com in the url field, and filter by process name like ccmexec.exe.
Scenario: User-Initiated Download of Open-Source Tools
Description: A user may download a legitimate open-source tool (e.g., Wireshark, Nmap) from a trusted source like GitHub or SourceForge.
Filter/Exclusion: Exclude URLs containing `github.com