The detection identifies potential 32-bit malware distribution through malicious URLs linked to known malicious actors, leveraging URLhaus intelligence. SOC teams should proactively hunt for this behavior to disrupt early-stage malware deployment and prevent lateral movement within Azure Sentinel environments.
IOC Summary
Threat: 32-bit Total URLs: 14 Active URLs: 14
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.39.255.247:40974/i | online | malware_download | 2026-05-12 |
hxxp://198.2.100.25:51642/bin.sh | online | malware_download | 2026-05-12 |
hxxp://110.37.53.53:49133/i | online | malware_download | 2026-05-12 |
hxxp://110.39.255.247:40974/bin.sh | online | malware_download | 2026-05-12 |
hxxp://115.58.171.103:55092/i | online | malware_download | 2026-05-12 |
hxxp://182.123.194.4:57810/i | online | malware_download | 2026-05-12 |
hxxp://115.63.146.155:34136/i | online | malware_download | 2026-05-12 |
hxxp://182.123.194.4:57810/bin.sh | online | malware_download | 2026-05-12 |
hxxp://119.185.241.39:48233/bin.sh | online | malware_download | 2026-05-12 |
hxxp://182.112.36.145:56455/bin.sh | online | malware_download | 2026-05-12 |
hxxp://27.37.101.140:48369/i | online | malware_download | 2026-05-12 |
hxxp://110.39.231.96:52783/i | online | malware_download | 2026-05-12 |
hxxp://84.240.11.145:51885/bin.sh | online | malware_download | 2026-05-12 |
hxxp://110.36.65.9:51025/bin.sh | online | malware_download | 2026-05-12 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["198.2.100.25", "110.39.231.96", "119.185.241.39", "110.39.255.247", "115.63.146.155", "84.240.11.145", "27.37.101.140", "110.37.53.53", "110.36.65.9", "182.112.36.145", "115.58.171.103", "182.123.194.4"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["198.2.100.25", "110.39.231.96", "119.185.241.39", "110.39.255.247", "115.63.146.155", "84.240.11.145", "27.37.101.140", "110.37.53.53", "110.36.65.9", "182.112.36.145", "115.58.171.103", "182.123.194.4"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patching process using a 32-bit URL
Filter/Exclusion: process.name != "wusa.exe" || process.name != "msiexec.exe"
Explanation: Tools like wusa.exe (Windows Update) or msiexec.exe are commonly used for installing updates and may trigger the rule when accessing known 32-bit URLs during patching.
Scenario: Scheduled backup job accessing a 32-bit URL for cloud storage
Filter/Exclusion: process.name != "vssadmin.exe" || process.name != "robocopy.exe"
Explanation: Backup tools like vssadmin.exe or robocopy.exe may access URLs for cloud storage or backup services, which could be flagged as 32-bit malicious URLs.
Scenario: Admin task using a 32-bit tool for legacy application support
Filter/Exclusion: process.name != "msiexec.exe" || process.name != "setup.exe"
Explanation: Legacy application support tools like msiexec.exe or setup.exe may access 32-bit URLs for compatibility or support, which could be falsely flagged.
Scenario: Internal tool or script using a 32-bit URL for internal repository access
Filter/Exclusion: process.name != "powershell.exe" || process.name != "cmd.exe"
Explanation: Internal scripts or tools running via powershell.exe or cmd.exe may access internal URLs that are mistakenly tagged as malicious in the URLhaus database.
Scenario: User accessing a 32-bit URL for a known legitimate service (e.g., CDN or API)
Filter/Exclusion: destination.url contains "cdn.example.com" || destination.url contains "api.example.com"
Explanation: Leg