← Back to SOC feed Coverage →

URLhaus: 32-bit Malicious URLs

ioc-hunt HIGH URLhaus
CommonSecurityLogDnsEvents
iocurlhaus
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at URLhaus →
Retrieved: 2026-03-19T03:46:59Z · Confidence: medium

Hunt Hypothesis

Hunt package for 46 malicious URLs tagged as 32-bit

IOC Summary

Threat: 32-bit Total URLs: 46 Active URLs: 42

URLStatusThreatDate Added
hxxp://117.235.117.8:40693/ionlinemalware_download2026-03-19
hxxp://117.223.140.8:39402/ionlinemalware_download2026-03-19
hxxp://117.205.90.155:57197/bin.shonlinemalware_download2026-03-19
hxxp://117.235.117.8:40693/bin.shonlinemalware_download2026-03-19
hxxp://115.55.246.34:48695/bin.shonlinemalware_download2026-03-19
hxxp://82.144.86.37:46593/bin.shonlinemalware_download2026-03-19
hxxp://110.37.45.161:38771/ionlinemalware_download2026-03-19
hxxp://117.223.140.8:39402/bin.shonlinemalware_download2026-03-19
hxxp://123.13.103.228:50407/ionlinemalware_download2026-03-19
hxxp://175.165.80.253:37123/ionlinemalware_download2026-03-19
hxxp://115.48.151.224:56650/ionlinemalware_download2026-03-19
hxxp://175.165.80.253:37123/bin.shonlinemalware_download2026-03-19
hxxp://110.37.45.161:38771/bin.shonlinemalware_download2026-03-19
hxxp://59.183.118.33:50503/ionlinemalware_download2026-03-19
hxxp://123.13.103.228:50407/bin.shonlinemalware_download2026-03-19
hxxp://182.117.160.77:41173/bin.shonlinemalware_download2026-03-19
hxxp://79.24.141.59:56310/ionlinemalware_download2026-03-19
hxxp://27.37.100.58:59354/ionlinemalware_download2026-03-19
hxxp://222.140.160.89:33524/ionlinemalware_download2026-03-19
hxxp://115.48.151.224:56650/bin.shonlinemalware_download2026-03-19
hxxp://110.37.97.71:35298/ionlinemalware_download2026-03-19
hxxp://79.24.141.59:56310/bin.shonlinemalware_download2026-03-19
hxxp://110.37.55.92:54086/ionlinemalware_download2026-03-19
hxxp://27.37.100.58:59354/bin.shofflinemalware_download2026-03-19
hxxp://59.183.118.33:50503/bin.shofflinemalware_download2026-03-19

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["39.74.235.15", "117.205.90.155", "115.48.151.224", "222.140.160.89", "110.37.45.161", "42.227.197.21", "182.117.160.77", "175.165.80.253", "110.37.97.71", "42.234.72.238", "117.223.140.8", "117.235.117.8", "79.24.141.59", "115.55.246.34", "82.144.86.37", "110.37.55.92", "27.37.100.58", "222.139.108.152", "222.140.179.126", "59.183.118.33", "123.13.103.228"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["39.74.235.15", "117.205.90.155", "115.48.151.224", "222.140.160.89", "110.37.45.161", "42.227.197.21", "182.117.160.77", "175.165.80.253", "110.37.97.71", "42.234.72.238", "117.223.140.8", "117.235.117.8", "79.24.141.59", "115.55.246.34", "82.144.86.37", "110.37.55.92", "27.37.100.58", "222.139.108.152", "222.140.179.126", "59.183.118.33", "123.13.103.228"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled
DnsEventsEnsure this data connector is enabled

References

Original source: https://urlhaus.abuse.ch/