The detection identifies potential 32-bit malicious URLs sourced from URLhaus, which are commonly used in targeted attacks to deliver malware. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage compromise attempts by adversaries leveraging outdated 32-bit payloads.
IOC Summary
Threat: 32-bit Total URLs: 27 Active URLs: 27
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.48.36.38:36885/bin.sh | online | malware_download | 2026-05-07 |
hxxp://123.5.115.15:52001/i | online | malware_download | 2026-05-07 |
hxxp://222.141.45.153:40278/i | online | malware_download | 2026-05-07 |
hxxp://222.141.45.153:40278/bin.sh | online | malware_download | 2026-05-07 |
hxxp://123.8.3.36:58837/bin.sh | online | malware_download | 2026-05-07 |
hxxp://110.37.62.94:38185/i | online | malware_download | 2026-05-07 |
hxxp://115.61.10.252:44778/i | online | malware_download | 2026-05-07 |
hxxp://115.61.10.252:44778/bin.sh | online | malware_download | 2026-05-07 |
hxxp://110.36.77.35:50284/i | online | malware_download | 2026-05-07 |
hxxp://115.63.55.207:56717/i | online | malware_download | 2026-05-07 |
hxxp://42.232.108.110:53982/i | online | malware_download | 2026-05-07 |
hxxp://125.44.244.65:44678/bin.sh | online | malware_download | 2026-05-07 |
hxxp://125.45.58.131:41552/i | online | malware_download | 2026-05-07 |
hxxp://125.45.58.131:41552/bin.sh | online | malware_download | 2026-05-07 |
hxxp://110.37.78.216:53423/i | online | malware_download | 2026-05-07 |
hxxp://182.241.176.6:44688/bin.sh | online | malware_download | 2026-05-07 |
hxxp://110.36.77.35:50284/bin.sh | online | malware_download | 2026-05-07 |
hxxp://182.119.11.212:35806/i | online | malware_download | 2026-05-07 |
hxxp://110.37.78.216:53423/bin.sh | online | malware_download | 2026-05-07 |
hxxp://110.37.59.217:39318/bin.sh | online | malware_download | 2026-05-07 |
hxxp://115.57.215.103:47962/bin.sh | online | malware_download | 2026-05-07 |
hxxp://68.185.152.86:44498/i | online | malware_download | 2026-05-07 |
hxxp://42.7.236.111:37866/i | online | malware_download | 2026-05-07 |
hxxp://42.224.66.157:56908/bin.sh | online | malware_download | 2026-05-07 |
hxxp://119.99.165.56:55675/i | online | malware_download | 2026-05-07 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["222.141.45.153", "110.36.119.151", "115.63.55.207", "123.5.115.15", "123.8.3.36", "110.36.77.35", "182.119.11.212", "115.61.10.252", "110.37.62.94", "182.241.176.6", "115.48.36.38", "110.37.59.217", "125.45.58.131", "115.57.215.103", "42.7.236.111", "68.185.152.86", "42.232.108.110", "119.99.165.56", "42.224.66.157", "125.44.244.65", "110.37.78.216"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["222.141.45.153", "110.36.119.151", "115.63.55.207", "123.5.115.15", "123.8.3.36", "110.36.77.35", "182.119.11.212", "115.61.10.252", "110.37.62.94", "182.241.176.6", "115.48.36.38", "110.37.59.217", "125.45.58.131", "115.57.215.103", "42.7.236.111", "68.185.152.86", "42.232.108.110", "119.99.165.56", "42.224.66.157", "125.44.244.65", "110.37.78.216"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application using a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus tag and are associated with known safe testing environments or internal validation tools (e.g., urlhaus.test or internal-validation-tool.com).
Scenario: A scheduled job runs a script to download and install a 32-bit software update from a trusted enterprise repository.
Filter/Exclusion: Exclude URLs that are part of the enterprise software update system (e.g., updates.enterprise.com or software-repo.company.net).
Scenario: A developer is using a 32-bit development tool that requires accessing a public code repository (e.g., GitHub) for dependency resolution.
Filter/Exclusion: Exclude URLs that originate from public code repositories (e.g., github.com, gitlab.com) or are associated with development toolchains (e.g., npm, pip, maven).
Scenario: A user is accessing a 32-bit legacy system support portal that contains URLs flagged by URLhaus due to historical malicious activity.
Filter/Exclusion: Exclude URLs that are part of internal or third-party support portals (e.g., support.portal.com, legacy-support.company.org).
Scenario: A security tool or SIEM system is configured to fetch threat intelligence feeds from URLhaus, which includes 32-bit malicious URLs.
Filter/Exclusion: Exclude URLs that are part of threat intelligence feed subscriptions (e.g., urlhaus.org, threatintel.feed.com) or are used for automated intelligence updates.