The hypothesis is that the detected URLs are likely used by adversaries to deliver 32-bit malware, leveraging outdated systems to evade modern endpoint protections. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of legacy systems and prevent lateral movement within the network.
IOC Summary
Threat: 32-bit Total URLs: 57 Active URLs: 53
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://182.119.5.248:55274/bin.sh | online | malware_download | 2026-06-03 |
hxxp://182.126.242.52:51917/i | online | malware_download | 2026-06-03 |
hxxp://123.12.240.167:56806/i | online | malware_download | 2026-06-03 |
hxxp://110.38.211.139:55941/bin.sh | online | malware_download | 2026-06-03 |
hxxp://42.87.145.2:44310/bin.sh | online | malware_download | 2026-06-03 |
hxxp://61.53.116.38:49666/i | online | malware_download | 2026-06-03 |
hxxp://182.126.242.52:51917/bin.sh | online | malware_download | 2026-06-03 |
hxxp://115.55.53.184:50863/i | online | malware_download | 2026-06-03 |
hxxp://42.227.34.161:32923/i | online | malware_download | 2026-06-03 |
hxxp://182.176.121.85:33869/i | online | malware_download | 2026-06-03 |
hxxp://123.11.14.243:36983/i | online | malware_download | 2026-06-03 |
hxxp://123.148.242.35:43983/bin.sh | online | malware_download | 2026-06-03 |
hxxp://182.176.121.85:33869/bin.sh | online | malware_download | 2026-06-03 |
hxxp://61.52.55.100:52641/i | online | malware_download | 2026-06-03 |
hxxp://123.11.14.243:36983/bin.sh | online | malware_download | 2026-06-03 |
hxxp://219.156.33.246:43835/i | online | malware_download | 2026-06-03 |
hxxp://110.39.226.242:58372/i | online | malware_download | 2026-06-03 |
hxxp://219.156.33.246:43835/bin.sh | online | malware_download | 2026-06-03 |
hxxp://87.227.119.161:39881/bin.sh | online | malware_download | 2026-06-03 |
hxxp://61.52.55.100:52641/bin.sh | online | malware_download | 2026-06-03 |
hxxp://110.39.226.242:58372/bin.sh | online | malware_download | 2026-06-03 |
hxxp://123.9.110.216:59818/i | online | malware_download | 2026-06-03 |
hxxp://112.229.205.175:45289/i | online | malware_download | 2026-06-03 |
hxxp://79.106.225.176:42139/i | online | malware_download | 2026-06-03 |
hxxp://182.121.171.75:41550/i | online | malware_download | 2026-06-03 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["182.126.242.52", "61.53.116.38", "123.9.110.216", "110.38.211.139", "219.156.33.246", "87.227.119.161", "123.148.242.35", "115.55.53.184", "110.39.226.242", "123.12.240.167", "42.87.145.2", "112.229.205.175", "182.176.121.85", "42.227.34.161", "182.119.5.248", "123.11.14.243", "124.95.28.204", "182.121.171.75", "79.106.225.176", "61.52.55.100", "110.36.1.200"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["182.126.242.52", "61.53.116.38", "123.9.110.216", "110.38.211.139", "219.156.33.246", "87.227.119.161", "123.148.242.35", "115.55.53.184", "110.39.226.242", "123.12.240.167", "42.87.145.2", "112.229.205.175", "182.176.121.85", "42.227.34.161", "182.119.5.248", "123.11.14.243", "124.95.28.204", "182.121.171.75", "79.106.225.176", "61.52.55.100", "110.36.1.200"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patching process that includes URLs from URLhaus
Filter/Exclusion: Exclude URLs matching known patching servers (e.g., windowsupdate.microsoft.com, download.microsoft.com) or use a filter like:
(url contains "windowsupdate.microsoft.com" or url contains "download.microsoft.com")Scenario: Scheduled backup job that downloads scripts or configuration files from internal repositories
Filter/Exclusion: Exclude URLs containing internal domain names (e.g., internal-repo.corp.example.com) or use a filter like:
(url contains "internal-repo.corp.example.com" or url contains "backup.example.com")Scenario: Admin task involving downloading third-party tools or utilities (e.g., chocolatey, scoop)
Filter/Exclusion: Exclude URLs that match known package managers or trusted download sources (e.g., chocolatey.org, github.com) or use a filter like:
(url contains "chocolatey.org" or url contains "github.com")Scenario: Internal development team using a staging environment with URLs similar to known malicious domains
Filter/Exclusion: Exclude URLs that match internal staging domains (e.g., staging.dev.example.com) or use a filter like:
(url contains "staging.dev.example.com" or url contains "dev.example.com")Scenario: Automated CI/CD pipeline that pulls dependencies from public repositories (e.g., npm, PyPI, Maven Central)
Filter/Exclusion: Exclude URLs that match known package managers or public repositories (e.g., npmjs.org, pypi.org, maven.apache.org) or use a filter like: