The detection identifies potential 32-bit malware distribution through malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that bypass modern defenses.
IOC Summary
Threat: 32-bit Total URLs: 28 Active URLs: 28
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.61.115.233:59441/i | online | malware_download | 2026-05-06 |
hxxp://42.224.196.36:47952/bin.sh | online | malware_download | 2026-05-06 |
hxxp://113.237.61.40:47545/i | online | malware_download | 2026-05-06 |
hxxp://175.173.118.18:53938/bin.sh | online | malware_download | 2026-05-06 |
hxxp://42.178.108.82:55911/i | online | malware_download | 2026-05-06 |
hxxp://113.237.61.40:47545/bin.sh | online | malware_download | 2026-05-06 |
hxxp://115.55.228.3:42005/i | online | malware_download | 2026-05-06 |
hxxp://125.40.14.18:59686/i | online | malware_download | 2026-05-06 |
hxxp://27.215.127.100:58093/i | online | malware_download | 2026-05-06 |
hxxp://171.39.85.96:54831/bin.sh | online | malware_download | 2026-05-06 |
hxxp://222.137.121.157:41342/i | online | malware_download | 2026-05-06 |
hxxp://119.185.242.13:37583/bin.sh | online | malware_download | 2026-05-06 |
hxxp://110.37.7.53:36692/i | online | malware_download | 2026-05-06 |
hxxp://123.14.39.227:54421/i | online | malware_download | 2026-05-06 |
hxxp://125.40.14.18:59686/bin.sh | online | malware_download | 2026-05-06 |
hxxp://42.53.0.111:49615/bin.sh | online | malware_download | 2026-05-06 |
hxxp://110.37.52.73:41628/i | online | malware_download | 2026-05-06 |
hxxp://119.185.242.13:37583/i | online | malware_download | 2026-05-06 |
hxxp://110.37.7.53:36692/bin.sh | online | malware_download | 2026-05-06 |
hxxp://182.121.248.218:51385/i | online | malware_download | 2026-05-06 |
hxxp://123.188.76.50:39937/i | online | malware_download | 2026-05-06 |
hxxp://110.37.52.73:41628/bin.sh | online | malware_download | 2026-05-06 |
hxxp://115.52.21.210:54204/bin.sh | online | malware_download | 2026-05-06 |
hxxp://94.180.31.246:52490/i | online | malware_download | 2026-05-06 |
hxxp://182.121.248.218:51385/bin.sh | online | malware_download | 2026-05-06 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["113.237.61.40", "110.37.52.73", "42.53.0.111", "119.185.242.13", "171.39.85.96", "110.37.7.53", "123.14.39.227", "115.52.21.210", "42.224.196.36", "182.121.248.218", "94.180.31.246", "27.215.127.100", "175.173.118.18", "222.139.102.135", "42.178.108.82", "123.188.76.50", "115.61.115.233", "125.40.14.18", "115.55.228.3", "222.137.121.157"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["113.237.61.40", "110.37.52.73", "42.53.0.111", "119.185.242.13", "171.39.85.96", "110.37.7.53", "123.14.39.227", "115.52.21.210", "42.224.196.36", "182.121.248.218", "94.180.31.246", "27.215.127.100", "175.173.118.18", "222.139.102.135", "42.178.108.82", "123.188.76.50", "115.61.115.233", "125.40.14.18", "115.55.228.3", "222.137.121.157"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application using a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus tag and are associated with known safe testing environments or internal validation tools like sctest or testbed.
Scenario: A scheduled job runs a 32-bit legacy application that requires accessing a specific URL for data synchronization, such as a database backup tool like MySQLDump or SQLBackup.
Filter/Exclusion: Exclude URLs that are part of scheduled tasks or system maintenance scripts, using a filter like process.name = "MySQLDump" or script.name = "backup_script.sh".
Scenario: An IT team is performing a security audit and is using a 32-bit tool like Nessus or OpenVAS to scan internal systems, which may trigger a URL from URLhaus during the scan.
Filter/Exclusion: Exclude URLs that are part of security scanning tools by checking the process.name field for Nessus, OpenVAS, or similar tools.
Scenario: A developer is using a 32-bit version of a CI/CD tool like Jenkins or GitLab Runner to build a project, and the build process includes fetching dependencies from a known URL that matches a URLhaus entry.
Filter/Exclusion: Exclude URLs that are part of CI/CD pipelines by checking the process.name or command_line for Jenkins, gitlab-runner, or similar tools.
Scenario: A user is accessing a 32-bit enterprise application like Citrix or VMware Horizon that requires connecting to an internal URL, which may be mistakenly flagged by the rule.
Filter/Exclusion: Exclude URLs that are internal or part of enterprise applications