The detection identifies potential 32-bit malware distribution through malicious URLs listed in URLhaus, which could be used to deliver ransomware or other malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage adversary activity before widespread compromise occurs.
IOC Summary
Threat: 32-bit Total URLs: 71 Active URLs: 63
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://196.189.3.1:40992/i | online | malware_download | 2026-05-24 |
hxxp://196.189.3.1:40992/bin.sh | online | malware_download | 2026-05-24 |
hxxp://115.50.105.190:45884/i | online | malware_download | 2026-05-24 |
hxxp://119.118.238.53:56063/i | online | malware_download | 2026-05-24 |
hxxp://42.232.26.80:42299/i | online | malware_download | 2026-05-24 |
hxxp://27.37.110.39:41074/i | online | malware_download | 2026-05-24 |
hxxp://123.10.129.9:34661/i | online | malware_download | 2026-05-24 |
hxxp://59.42.91.70:56735/i | online | malware_download | 2026-05-24 |
hxxp://108.168.0.60:45521/i | online | malware_download | 2026-05-24 |
hxxp://27.215.183.156:50736/i | online | malware_download | 2026-05-24 |
hxxp://123.10.129.9:34661/bin.sh | online | malware_download | 2026-05-24 |
hxxp://59.42.91.70:56735/bin.sh | online | malware_download | 2026-05-24 |
hxxp://110.39.246.127:60301/i | online | malware_download | 2026-05-24 |
hxxp://27.215.183.156:50736/bin.sh | online | malware_download | 2026-05-24 |
hxxp://221.214.202.219:36859/i | online | malware_download | 2026-05-24 |
hxxp://27.153.144.16:50794/i | online | malware_download | 2026-05-24 |
hxxp://123.5.124.70:42193/i | online | malware_download | 2026-05-24 |
hxxp://108.168.0.60:45521/bin.sh | online | malware_download | 2026-05-24 |
hxxp://221.214.202.219:36859/bin.sh | online | malware_download | 2026-05-24 |
hxxp://123.5.124.70:42193/bin.sh | online | malware_download | 2026-05-24 |
hxxp://125.41.8.32:42721/bin.sh | online | malware_download | 2026-05-24 |
hxxp://113.228.89.46:36487/i | online | malware_download | 2026-05-24 |
hxxp://125.47.237.203:45915/i | online | malware_download | 2026-05-24 |
hxxp://125.47.237.203:45915/bin.sh | online | malware_download | 2026-05-24 |
hxxp://27.207.141.11:54027/i | online | malware_download | 2026-05-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["125.47.237.203", "125.41.8.32", "27.207.141.11", "182.121.86.112", "108.168.0.60", "113.228.89.46", "27.215.183.156", "115.50.105.190", "27.37.110.39", "27.153.144.16", "42.229.221.36", "119.118.238.53", "59.42.91.70", "123.10.129.9", "110.39.246.127", "42.232.26.80", "123.5.124.70", "125.46.198.162", "221.214.202.219", "196.189.3.1"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["125.47.237.203", "125.41.8.32", "27.207.141.11", "182.121.86.112", "108.168.0.60", "113.228.89.46", "27.215.183.156", "115.50.105.190", "27.37.110.39", "27.153.144.16", "42.229.221.36", "119.118.238.53", "59.42.91.70", "123.10.129.9", "110.39.246.127", "42.232.26.80", "123.5.124.70", "125.46.198.162", "221.214.202.219", "196.189.3.1"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update using a known safe URL from URLhaus.
Filter/Exclusion: Exclude URLs that match the urlhaus.org domain and are tagged as “safe” or “benign” in the URLhaus database.
Scenario: A scheduled job runs a 32-bit script for legacy system maintenance, which includes a legitimate URL from a trusted source (e.g., Microsoft Update).
Filter/Exclusion: Exclude URLs that originate from Microsoft Update servers (update.microsoft.com) or are part of a known maintenance script.
Scenario: A developer is using a 32-bit version of a CI/CD tool (e.g., Jenkins) to deploy code, and the tool’s configuration includes a URL to a public artifact repository.
Filter/Exclusion: Exclude URLs that are part of a CI/CD pipeline and match known artifact repositories (e.g., artifactory.example.com or nexus.example.com).
Scenario: A user is accessing a 32-bit version of a legitimate enterprise tool (e.g., Adobe Acrobat Reader) and the tool’s update mechanism includes a URL to a trusted download site.
Filter/Exclusion: Exclude URLs that are part of the update mechanism for known enterprise software (e.g., download.adobe.com or support.microsoft.com).
Scenario: A security team is performing a red team exercise using a 32-bit payload that includes a URL to a sandboxed environment for analysis.
Filter/Exclusion: Exclude URLs that are associated with internal sandboxing tools (e.g., sandbox.example.com) or are part of a controlled red team exercise.