The detection identifies potential 32-bit malicious URLs sourced from URLhaus, which could be used to deliver malware or execute malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage adversarial activity before it leads to broader compromise.
IOC Summary
Threat: 32-bit Total URLs: 31 Active URLs: 30
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.55.128.94:52113/bin.sh | online | malware_download | 2026-06-11 |
hxxp://46.163.134.250:38751/i | online | malware_download | 2026-06-11 |
hxxp://112.93.138.41:35908/bin.sh | online | malware_download | 2026-06-11 |
hxxp://123.11.75.68:33284/i | online | malware_download | 2026-06-11 |
hxxp://222.139.95.171:34217/i | online | malware_download | 2026-06-11 |
hxxp://112.93.137.140:60470/bin.sh | offline | malware_download | 2026-06-11 |
hxxp://42.53.227.140:53118/bin.sh | online | malware_download | 2026-06-11 |
hxxp://46.163.134.250:38751/bin.sh | online | malware_download | 2026-06-11 |
hxxp://123.11.75.68:33284/bin.sh | online | malware_download | 2026-06-11 |
hxxp://115.59.84.52:46229/bin.sh | online | malware_download | 2026-06-11 |
hxxp://112.93.137.197:35235/bin.sh | online | malware_download | 2026-06-11 |
hxxp://222.139.95.171:34217/bin.sh | online | malware_download | 2026-06-11 |
hxxp://36.88.136.194:53027/i | online | malware_download | 2026-06-11 |
hxxp://36.88.136.194:53027/bin.sh | online | malware_download | 2026-06-11 |
hxxp://113.238.112.233:49590/i | online | malware_download | 2026-06-11 |
hxxp://182.120.145.126:49506/i | online | malware_download | 2026-06-11 |
hxxp://115.55.51.208:43505/i | online | malware_download | 2026-06-11 |
hxxp://125.44.189.195:44557/i | online | malware_download | 2026-06-11 |
hxxp://125.44.189.195:44557/bin.sh | online | malware_download | 2026-06-11 |
hxxp://42.86.169.251:45619/i | online | malware_download | 2026-06-11 |
hxxp://115.55.51.208:43505/bin.sh | online | malware_download | 2026-06-11 |
hxxp://115.55.239.188:46570/bin.sh | online | malware_download | 2026-06-11 |
hxxp://221.14.39.40:52497/bin.sh | online | malware_download | 2026-06-11 |
hxxp://163.142.77.37:34093/i | online | malware_download | 2026-06-11 |
hxxp://42.86.169.251:45619/bin.sh | online | malware_download | 2026-06-11 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["42.53.227.140", "46.163.134.250", "112.93.138.41", "115.59.84.52", "115.55.51.208", "222.141.38.112", "36.88.136.194", "125.44.189.195", "222.139.95.171", "42.86.169.251", "110.39.242.135", "182.119.71.177", "115.55.239.188", "182.120.145.126", "221.14.39.40", "112.93.137.197", "123.5.153.145", "123.11.75.68", "113.238.112.233", "42.224.122.170", "163.142.77.37", "115.55.128.94", "182.113.10.230"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.53.227.140", "46.163.134.250", "112.93.138.41", "115.59.84.52", "115.55.51.208", "222.141.38.112", "36.88.136.194", "125.44.189.195", "222.139.95.171", "42.86.169.251", "110.39.242.135", "182.119.71.177", "115.55.239.188", "182.120.145.126", "221.14.39.40", "112.93.137.197", "123.5.153.145", "123.11.75.68", "113.238.112.233", "42.224.122.170", "163.142.77.37", "115.55.128.94", "182.113.10.230"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update via a local HTTP server for compatibility checks.
Filter/Exclusion: Exclude URLs originating from internal IP ranges (e.g., src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) or URLs containing internal or localhost in the domain.
Scenario: A scheduled job runs a 32-bit legacy script that fetches data from a known internal API endpoint for reporting purposes.
Filter/Exclusion: Exclude URLs that match internal API endpoints (e.g., url contains "internal-api.example.com") or URLs with a specific HTTP method (e.g., http_method = "GET" for data retrieval).
Scenario: A developer is using a 32-bit tool like Wireshark or GDB to analyze network traffic or debug code, which may generate temporary URLs for internal resources.
Filter/Exclusion: Exclude URLs containing debug, temp, or local in the path, or filter by process name (e.g., process.name = "wireshark" or process.name = "gdb").
Scenario: A system is running a 32-bit version of a legitimate tool like 7-Zip or WinRAR, which may access URLs for downloading updates or plugins from a trusted source.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., url contains "7-zip.org" or "winrar.com") or filter by process name (e.g., process.name = "7z.exe").
Scenario: A security tool like OSSEC or Tripwire is configured to fetch