The detection identifies potential 32-bit malicious URLs sourced from URLhaus, which could be used to deliver malware or execute malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage adversarial activity before it leads to broader compromise.
IOC Summary
Threat: 32-bit Total URLs: 6 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://125.41.220.17:52150/i | online | malware_download | 2026-04-22 |
hxxp://125.113.148.179:39635/bin.sh | online | malware_download | 2026-04-22 |
hxxp://42.6.65.240:60301/bin.sh | online | malware_download | 2026-04-22 |
hxxp://196.189.111.43:56567/i | online | malware_download | 2026-04-22 |
hxxp://222.127.68.197:38431/bin.sh | online | malware_download | 2026-04-22 |
hxxp://42.225.199.152:60277/i | online | malware_download | 2026-04-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["196.189.111.43", "42.225.199.152", "42.6.65.240", "222.127.68.197", "125.41.220.17", "125.113.148.179"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["196.189.111.43", "42.225.199.152", "42.6.65.240", "222.127.68.197", "125.41.220.17", "125.113.148.179"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system update job downloads a 32-bit installer from a known Microsoft update server.
Filter/Exclusion: Exclude URLs matching https://download.microsoft.com or https://go.microsoft.com/fwlink for 32-bit Windows updates.
Scenario: IT admin manually downloads a 32-bit version of a legitimate tool (e.g., Wireshark) from the official website for compatibility with legacy systems.
Filter/Exclusion: Exclude URLs containing wireshark.org or https://www.wireshark.org for 32-bit downloads.
Scenario: A user runs a 32-bit version of a virtualization tool (e.g., VMware Workstation) and the tool’s update server is flagged by the rule.
Filter/Exclusion: Exclude URLs from https://softwareupdate.vmware.com or https://download3.vmware.com for VMware 32-bit updates.
Scenario: A backup job uses a 32-bit version of a backup tool (e.g., Acronis True Image) and the tool’s server is flagged.
Filter/Exclusion: Exclude URLs containing https://download.acronis.com or https://www.acronis.com for 32-bit backup software.
Scenario: A developer runs a 32-bit build environment and the CI/CD tool (e.g., Jenkins) pulls a 32-bit dependency from a public repository.
Filter/Exclusion: Exclude URLs from https://repo.jenkins-ci.org or https://maven.repository.redhat.com for 32-bit build artifacts.