Adversaries may use 32-bit malicious URLs to deliver payloads that bypass modern endpoint protections. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise vectors before they lead to data exfiltration or system control.
IOC Summary
Threat: 32-bit Total URLs: 37 Active URLs: 33
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://42.228.44.33:46774/i | online | malware_download | 2026-05-11 |
hxxp://182.121.8.145:52664/i | online | malware_download | 2026-05-11 |
hxxp://61.156.126.156:38917/i | offline | malware_download | 2026-05-11 |
hxxp://61.156.126.156:38917/bin.sh | online | malware_download | 2026-05-11 |
hxxp://61.53.220.233:37274/i | online | malware_download | 2026-05-11 |
hxxp://61.53.220.233:37274/bin.sh | online | malware_download | 2026-05-11 |
hxxp://163.142.84.177:36350/i | online | malware_download | 2026-05-11 |
hxxp://115.55.49.73:47932/i | online | malware_download | 2026-05-11 |
hxxp://115.55.49.73:47932/bin.sh | online | malware_download | 2026-05-11 |
hxxp://113.237.110.16:44902/i | online | malware_download | 2026-05-11 |
hxxp://113.231.73.56:48836/i | online | malware_download | 2026-05-11 |
hxxp://110.36.77.19:41012/i | online | malware_download | 2026-05-11 |
hxxp://182.117.12.132:33257/bin.sh | online | malware_download | 2026-05-11 |
hxxp://113.231.73.56:48836/bin.sh | online | malware_download | 2026-05-11 |
hxxp://110.36.77.19:41012/bin.sh | online | malware_download | 2026-05-11 |
hxxp://79.182.248.184:56530/i | online | malware_download | 2026-05-11 |
hxxp://221.15.178.156:52257/i | online | malware_download | 2026-05-11 |
hxxp://115.49.232.125:59940/i | online | malware_download | 2026-05-11 |
hxxp://113.233.88.183:33965/i | online | malware_download | 2026-05-11 |
hxxp://157.66.146.183:50229/i | online | malware_download | 2026-05-11 |
hxxp://113.233.88.183:33965/bin.sh | online | malware_download | 2026-05-11 |
hxxp://157.66.146.183:50229/bin.sh | online | malware_download | 2026-05-11 |
hxxp://118.232.137.101:60595/i | online | malware_download | 2026-05-11 |
hxxp://61.53.74.66:36279/i | online | malware_download | 2026-05-11 |
hxxp://110.39.235.153:35614/i | online | malware_download | 2026-05-11 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["115.49.232.125", "113.233.88.183", "27.37.103.139", "27.206.89.192", "115.55.49.73", "61.53.220.233", "115.52.52.55", "221.15.178.156", "42.228.44.33", "113.231.73.56", "118.232.137.101", "113.237.110.16", "157.66.146.183", "61.156.126.156", "182.117.12.132", "182.121.8.145", "61.53.74.66", "110.36.77.19", "163.142.84.177", "79.182.248.184", "110.39.235.153"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.49.232.125", "113.233.88.183", "27.37.103.139", "27.206.89.192", "115.55.49.73", "61.53.220.233", "115.52.52.55", "221.15.178.156", "42.228.44.33", "113.231.73.56", "118.232.137.101", "113.237.110.16", "157.66.146.183", "61.156.126.156", "182.117.12.132", "182.121.8.145", "61.53.74.66", "110.36.77.19", "163.142.84.177", "79.182.248.184", "110.39.235.153"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Software Update via URLhaus
Description: A system administrator manually downloads a 32-bit software update from a known URLhaus entry as part of a patching process.
Filter/Exclusion: Exclude URLs that match known software update repositories (e.g., *.softwareupdate.com, *.patchserver.org) or use a field like urlhaus_id to filter out known benign entries.
Scenario: Scheduled Job Fetching Malware Samples
Description: A security team’s automated job fetches malware samples from URLhaus for analysis in a sandboxed environment.
Filter/Exclusion: Exclude traffic originating from a known internal analysis system (e.g., src_ip = 10.10.10.10) or use a process.name filter for tools like wget or curl used in the job.
Scenario: Admin Task to Download Antivirus Definitions
Description: An admin downloads 32-bit antivirus definitions from a URLhaus entry as part of a routine security maintenance task.
Filter/Exclusion: Exclude URLs that match known antivirus distribution servers (e.g., *.avast.com, *.kaspersky.com) or use a user field to filter by admin accounts.
Scenario: Internal Testing with Malware Samples
Description: A red team or security team member tests a 32-bit malware sample from URLhaus in a controlled lab environment.
Filter/Exclusion: Exclude traffic from a known internal testing network (e.g., src_ip = 192.168.5.0/24) or use a process.name filter for tools like mitmproxy or Wireshark.
Scenario: Legacy System Maintenance with 32-bit Tools
Description: A legacy