The detection identifies potential 32-bit malicious URLs sourced from URLhaus, which are commonly used in malware distribution campaigns. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage adversary activity before it leads to broader network compromise.
IOC Summary
Threat: 32-bit Total URLs: 40 Active URLs: 40
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://81.215.173.87:38020/bin.sh | online | malware_download | 2026-04-24 |
hxxp://182.112.254.225:45761/i | online | malware_download | 2026-04-24 |
hxxp://123.12.245.177:37422/bin.sh | online | malware_download | 2026-04-24 |
hxxp://105.184.42.22:47025/i | online | malware_download | 2026-04-24 |
hxxp://105.184.42.22:47025/bin.sh | online | malware_download | 2026-04-24 |
hxxp://117.217.33.124:43930/bin.sh | online | malware_download | 2026-04-24 |
hxxp://42.177.220.194:60093/i | online | malware_download | 2026-04-24 |
hxxp://112.238.24.131:58597/i | online | malware_download | 2026-04-24 |
hxxp://113.221.26.82:38224/i | online | malware_download | 2026-04-24 |
hxxp://115.51.24.97:52088/bin.sh | online | malware_download | 2026-04-24 |
hxxp://113.221.26.82:38224/bin.sh | online | malware_download | 2026-04-24 |
hxxp://105.224.13.224:50631/bin.sh | online | malware_download | 2026-04-24 |
hxxp://103.206.205.54:60108/i | online | malware_download | 2026-04-24 |
hxxp://112.248.102.197:53438/i | online | malware_download | 2026-04-24 |
hxxp://103.206.205.54:60108/bin.sh | online | malware_download | 2026-04-24 |
hxxp://42.231.92.57:33007/i | online | malware_download | 2026-04-24 |
hxxp://42.231.92.57:33007/bin.sh | online | malware_download | 2026-04-24 |
hxxp://112.248.102.197:53438/bin.sh | online | malware_download | 2026-04-24 |
hxxp://110.36.2.23:49916/bin.sh | online | malware_download | 2026-04-24 |
hxxp://61.53.116.176:39967/i | online | malware_download | 2026-04-24 |
hxxp://105.225.26.202:39317/bin.sh | online | malware_download | 2026-04-24 |
hxxp://42.230.47.124:37365/i | online | malware_download | 2026-04-24 |
hxxp://42.230.47.124:37365/bin.sh | online | malware_download | 2026-04-24 |
hxxp://61.53.116.176:39967/bin.sh | online | malware_download | 2026-04-24 |
hxxp://103.249.199.4:35727/i | online | malware_download | 2026-04-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["110.36.2.23", "105.224.13.224", "42.231.92.57", "115.51.24.97", "42.230.47.124", "113.221.26.82", "105.225.26.202", "102.132.17.242", "112.238.24.131", "182.112.254.225", "117.217.33.124", "103.206.205.54", "61.53.116.176", "42.177.220.194", "112.248.102.197", "182.113.192.42", "196.189.3.1", "103.249.199.4", "123.11.197.89", "105.184.42.22", "81.215.173.87", "123.12.245.177"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.36.2.23", "105.224.13.224", "42.231.92.57", "115.51.24.97", "42.230.47.124", "113.221.26.82", "105.225.26.202", "102.132.17.242", "112.238.24.131", "182.112.254.225", "117.217.33.124", "103.206.205.54", "61.53.116.176", "42.177.220.194", "112.248.102.197", "182.113.192.42", "196.189.3.1", "103.249.199.4", "123.11.197.89", "105.184.42.22", "81.215.173.87", "123.12.245.177"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update via Microsoft Update
Description: A legitimate scheduled task runs Microsoft Update, which may include downloading URLs from Microsoft’s update servers.
Filter/Exclusion: Exclude URLs containing update.microsoft.com or windowsupdate.com in the domain field.
Scenario: Internal CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads build artifacts from an internal artifact repository.
Filter/Exclusion: Exclude URLs containing artifactory.internal or nexus.internal in the domain field, or filter by source IP from the internal network.
Scenario: Admin Task for Log Collection via Splunk
Description: An admin task runs a script to collect logs from a Splunk server, which may involve downloading configuration files or scripts.
Filter/Exclusion: Exclude URLs containing splunk.com or splunk.local in the domain field, or filter by user agent matching Splunk’s known agents.
Scenario: User-Initiated File Download from Internal Share
Description: A user downloads a file from an internal file share (e.g., via SMB or NFS) that may be flagged due to URL structure.
Filter/Exclusion: Exclude URLs containing fileserver.internal or dfs.internal in the domain field, or filter by protocol (e.g., smb:// or nfs://).
Scenario: Malware Analysis Lab Testing
Description: A security team is testing a known malicious URL in a sandboxed environment for analysis.
Filter/Exclusion: Exclude URLs that match known sandbox environments (e.g., sandboxed.io, malwareanalysis.com) or filter by source IP from the lab network.