The detection identifies potential 32-bit malicious URLs sourced from URLhaus, which could be used to deliver malware or execute malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage adversarial activity before it leads to broader compromise.
IOC Summary
Threat: 32-bit Total URLs: 21 Active URLs: 21
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://119.118.230.35:56063/bin.sh | online | malware_download | 2026-05-08 |
hxxp://115.55.247.129:46170/i | online | malware_download | 2026-05-08 |
hxxp://27.215.87.87:33301/i | online | malware_download | 2026-05-08 |
hxxp://115.48.36.4:44817/i | online | malware_download | 2026-05-08 |
hxxp://42.235.80.242:52005/i | online | malware_download | 2026-05-08 |
hxxp://27.215.87.87:33301/bin.sh | online | malware_download | 2026-05-08 |
hxxp://119.179.249.188:46928/bin.sh | online | malware_download | 2026-05-08 |
hxxp://116.139.83.93:54612/bin.sh | online | malware_download | 2026-05-08 |
hxxp://59.101.188.117:53314/i | online | malware_download | 2026-05-08 |
hxxp://115.55.247.129:46170/bin.sh | online | malware_download | 2026-05-08 |
hxxp://222.141.105.198:53321/i | online | malware_download | 2026-05-08 |
hxxp://117.206.135.153:37117/i | online | malware_download | 2026-05-08 |
hxxp://39.87.28.212:53166/i | online | malware_download | 2026-05-08 |
hxxp://27.206.64.100:46843/i | online | malware_download | 2026-05-08 |
hxxp://59.101.188.117:53314/bin.sh | online | malware_download | 2026-05-08 |
hxxp://39.87.28.212:53166/bin.sh | online | malware_download | 2026-05-08 |
hxxp://117.206.135.153:37117/bin.sh | online | malware_download | 2026-05-08 |
hxxp://222.141.105.198:53321/bin.sh | online | malware_download | 2026-05-08 |
hxxp://110.39.241.60:59213/bin.sh | online | malware_download | 2026-05-08 |
hxxp://27.206.64.100:46843/bin.sh | online | malware_download | 2026-05-08 |
hxxp://61.53.125.251:46680/i | online | malware_download | 2026-05-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["119.179.249.188", "115.55.247.129", "115.48.36.4", "27.215.87.87", "110.39.241.60", "61.53.125.251", "27.206.64.100", "119.118.230.35", "116.139.83.93", "39.87.28.212", "222.141.105.198", "117.206.135.153", "42.235.80.242", "59.101.188.117"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["119.179.249.188", "115.55.247.129", "115.48.36.4", "27.215.87.87", "110.39.241.60", "61.53.125.251", "27.206.64.100", "119.118.230.35", "116.139.83.93", "39.87.28.212", "222.141.105.198", "117.206.135.153", "42.235.80.242", "59.101.188.117"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application using a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus tag and are associated with known safe testing environments or internal validation tools (e.g., urlhaus_test_env).
Scenario: A scheduled job runs a 32-bit legacy application that requires downloading a specific update from a legitimate vendor URL, which happens to be listed in URLhaus.
Filter/Exclusion: Exclude URLs that match known vendor update servers (e.g., vendor_update_server.com) or are part of a whitelisted update process.
Scenario: A security analyst is using a 32-bit tool like Wireshark or IDA Pro to analyze network traffic, and the tool’s internal URL for configuration or licensing is flagged as malicious.
Filter/Exclusion: Exclude URLs that are part of the tool’s internal infrastructure (e.g., tool_config_url.com) or are used for legitimate tool operations.
Scenario: A user is accessing a 32-bit version of a legitimate enterprise application hosted on an internal server, and the server’s URL is mistakenly tagged as malicious in URLhaus.
Filter/Exclusion: Exclude URLs that belong to internal enterprise domains (e.g., intranet.corporate.com) or are part of a known internal application deployment.
Scenario: A system is running a 32-bit version of a legitimate software update tool (e.g., Windows Update or Adobe Updater) that temporarily uses a URL from URLhaus for a specific update.
Filter/Exclusion: Exclude URLs that are associated with known update services (e.g., windowsupdate.microsoft.com, adobe.com/update) or are part of a scheduled update process.