URLhaus: 32-bit Malicious URLs

Hunt Hypothesis

The detection identifies potential 32-bit malware distribution through known malicious URLs listed in URLhaus, which could indicate an adversary attempting to deploy legacy malware in a modern environment. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage attacks that leverage outdated malware to evade modern defenses.

IOC Summary

Threat: 32-bit Total URLs: 37 Active URLs: 37

URL	Status	Threat	Date Added
`hxxp://105.186.181.193:44969/i`	online	malware_download	2026-04-23
`hxxp://123.7.226.192:39217/bin.sh`	online	malware_download	2026-04-23
`hxxp://42.179.147.89:60389/bin.sh`	online	malware_download	2026-04-23
`hxxp://42.226.68.180:33416/i`	online	malware_download	2026-04-23
`hxxp://182.123.192.217:46665/i`	online	malware_download	2026-04-23
`hxxp://222.137.146.77:60722/i`	online	malware_download	2026-04-23
`hxxp://178.227.156.100:2578/bin.sh`	online	malware_download	2026-04-23
`hxxp://182.123.192.217:46665/bin.sh`	online	malware_download	2026-04-23
`hxxp://182.126.84.132:33258/i`	online	malware_download	2026-04-23
`hxxp://182.121.214.189:44576/bin.sh`	online	malware_download	2026-04-23
`hxxp://115.49.66.168:46002/i`	online	malware_download	2026-04-23
`hxxp://182.173.199.8:58428/i`	online	malware_download	2026-04-23
`hxxp://115.49.66.168:46002/bin.sh`	online	malware_download	2026-04-23
`hxxp://110.36.2.23:49916/i`	online	malware_download	2026-04-23
`hxxp://61.52.72.102:51830/i`	online	malware_download	2026-04-23
`hxxp://42.230.44.35:58018/i`	online	malware_download	2026-04-23
`hxxp://182.173.199.8:58428/bin.sh`	online	malware_download	2026-04-23
`hxxp://175.151.128.38:34555/i`	online	malware_download	2026-04-23
`hxxp://42.224.96.212:50911/bin.sh`	online	malware_download	2026-04-23
`hxxp://42.230.44.35:58018/bin.sh`	online	malware_download	2026-04-23
`hxxp://42.7.139.50:45332/i`	online	malware_download	2026-04-23
`hxxp://42.235.171.125:53623/i`	online	malware_download	2026-04-23
`hxxp://115.55.173.8:39536/i`	online	malware_download	2026-04-23
`hxxp://182.127.177.18:44434/bin.sh`	online	malware_download	2026-04-23
`hxxp://115.55.173.8:39536/bin.sh`	online	malware_download	2026-04-23

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["36.88.136.194", "182.123.192.217", "42.224.96.212", "123.7.226.192", "110.36.2.23", "115.49.66.168", "61.52.72.102", "42.226.68.180", "42.230.44.35", "222.137.146.77", "125.43.249.122", "175.151.128.38", "182.126.84.132", "178.227.156.100", "182.121.214.189", "182.127.177.18", "182.173.199.8", "42.235.171.125", "105.186.181.193", "42.179.147.89", "42.7.139.50", "112.248.187.207", "115.55.173.8", "110.37.1.162"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["36.88.136.194", "182.123.192.217", "42.224.96.212", "123.7.226.192", "110.36.2.23", "115.49.66.168", "61.52.72.102", "42.226.68.180", "42.230.44.35", "222.137.146.77", "125.43.249.122", "175.151.128.38", "182.126.84.132", "178.227.156.100", "182.121.214.189", "182.127.177.18", "182.173.199.8", "42.235.171.125", "105.186.181.193", "42.179.147.89", "42.7.139.50", "112.248.187.207", "115.55.173.8", "110.37.1.162"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: Scheduled system update via Windows Update
Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "svchost.exe" with specific command line arguments for Windows Update
Scenario: Legitimate 32-bit application deployment using SCCM (System Center Configuration Manager)
Filter/Exclusion: process.name != "cmiexec.exe" or process.name != "smsts.exe" with known SCCM deployment command lines
Scenario: Admin task to download and install a 32-bit driver from a trusted internal repository
Filter/Exclusion: process.name != "setup.exe" or process.name != "msiexec.exe" with known internal repository URLs
Scenario: User accessing a 32-bit URL for a legacy internal tool (e.g., legacy reporting tool)
Filter/Exclusion: process.name != "iexplore.exe" or process.name != "chrome.exe" with URL containing known internal tool paths
Scenario: Automated backup job using a 32-bit script or tool (e.g., rsync or robocopy)
Filter/Exclusion: process.name != "robocopy.exe" or process.name != "rsync.exe" with known backup job command lines or execution context (e.g., scheduled task with specific user context)