The hypothesis is that the detected URLs are likely malicious 32-bit payloads used by adversaries to deliver malware, leveraging outdated systems to evade modern detection. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of legacy systems and prevent lateral movement.
IOC Summary
Threat: 32-bit Total URLs: 20 Active URLs: 20
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.37.67.68:35513/i | online | malware_download | 2026-05-29 |
hxxp://112.240.255.49:50445/i | online | malware_download | 2026-05-29 |
hxxp://42.227.205.92:57329/i | online | malware_download | 2026-05-29 |
hxxp://110.36.15.218:41983/bin.sh | online | malware_download | 2026-05-29 |
hxxp://112.240.255.49:50445/bin.sh | online | malware_download | 2026-05-29 |
hxxp://60.23.155.69:52560/bin.sh | online | malware_download | 2026-05-29 |
hxxp://110.37.67.68:35513/bin.sh | online | malware_download | 2026-05-29 |
hxxp://125.41.3.243:55607/i | online | malware_download | 2026-05-29 |
hxxp://110.37.115.21:51493/i | online | malware_download | 2026-05-29 |
hxxp://182.114.250.81:43736/i | online | malware_download | 2026-05-29 |
hxxp://77.79.160.210:58409/bin.sh | online | malware_download | 2026-05-29 |
hxxp://115.49.66.57:37194/i | online | malware_download | 2026-05-29 |
hxxp://115.49.66.57:37194/bin.sh | online | malware_download | 2026-05-29 |
hxxp://42.224.65.227:47394/bin.sh | online | malware_download | 2026-05-29 |
hxxp://61.52.1.15:56488/i | online | malware_download | 2026-05-29 |
hxxp://95.56.232.109:46579/i | online | malware_download | 2026-05-29 |
hxxp://110.37.115.21:51493/bin.sh | online | malware_download | 2026-05-29 |
hxxp://110.36.26.134:55035/i | online | malware_download | 2026-05-29 |
hxxp://61.52.1.15:56488/bin.sh | online | malware_download | 2026-05-29 |
hxxp://110.36.26.134:55035/bin.sh | online | malware_download | 2026-05-29 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["77.79.160.210", "112.240.255.49", "110.37.115.21", "61.52.1.15", "42.227.205.92", "110.36.15.218", "182.114.250.81", "125.41.3.243", "42.224.65.227", "110.36.26.134", "60.23.155.69", "110.37.67.68", "115.49.66.57", "95.56.232.109"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["77.79.160.210", "112.240.255.49", "110.37.115.21", "61.52.1.15", "42.227.205.92", "110.36.15.218", "182.114.250.81", "125.41.3.243", "42.224.65.227", "110.36.26.134", "60.23.155.69", "110.37.67.68", "115.49.66.57", "95.56.232.109"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application using a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus.org domain or any URL containing the string urlhaus in the domain or path.
Scenario: A scheduled job runs a script to download and install a 32-bit software update from a legitimate internal repository.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or are signed by a known internal certificate authority.
Scenario: A user is accessing a 32-bit version of a legitimate tool (e.g., 7-Zip, WinRAR) via a company-approved URL for decompression tasks.
Filter/Exclusion: Exclude URLs that match known internal software distribution servers or are associated with whitelisted tools like 7-Zip or WinRAR.
Scenario: A security team member is performing a red team exercise and uses a 32-bit malicious URL from URLhaus as part of a controlled simulation.
Filter/Exclusion: Exclude URLs that are part of a known red team exercise or are tagged with a specific simulation identifier (e.g., redteam-2024).
Scenario: A backup process is using a 32-bit utility to archive data, and the backup tool generates a temporary URL for internal use.
Filter/Exclusion: Exclude URLs that are generated by backup tools (e.g., Veeam, Commvault) or are flagged as internal temporary URLs.