The detection identifies potential 32-bit malicious URLs sourced from URLhaus, which could be used to deliver malware or execute malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage adversary activity before it leads to broader compromise.
IOC Summary
Threat: 32-bit Total URLs: 41 Active URLs: 41
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.39.233.226:57690/i | online | malware_download | 2026-06-09 |
hxxp://182.126.249.84:38098/i | online | malware_download | 2026-06-09 |
hxxp://222.138.116.23:46485/bin.sh | online | malware_download | 2026-06-09 |
hxxp://61.52.195.207:46277/i | online | malware_download | 2026-06-09 |
hxxp://123.132.166.240:48522/i | online | malware_download | 2026-06-09 |
hxxp://196.190.105.170:37452/i | online | malware_download | 2026-06-09 |
hxxp://110.39.233.226:57690/bin.sh | online | malware_download | 2026-06-09 |
hxxp://123.11.13.197:57013/i | online | malware_download | 2026-06-09 |
hxxp://123.11.13.197:57013/bin.sh | online | malware_download | 2026-06-09 |
hxxp://115.58.157.8:54211/bin.sh | online | malware_download | 2026-06-09 |
hxxp://219.154.172.53:47597/i | online | malware_download | 2026-06-09 |
hxxp://118.175.205.141:36704/bin.sh | online | malware_download | 2026-06-09 |
hxxp://221.13.251.233:38405/i | online | malware_download | 2026-06-09 |
hxxp://60.22.103.101:57795/bin.sh | online | malware_download | 2026-06-09 |
hxxp://123.132.166.240:48522/bin.sh | online | malware_download | 2026-06-09 |
hxxp://219.154.172.53:47597/bin.sh | online | malware_download | 2026-06-09 |
hxxp://221.13.251.233:38405/bin.sh | online | malware_download | 2026-06-09 |
hxxp://112.249.216.4:40353/i | online | malware_download | 2026-06-09 |
hxxp://219.139.62.122:46231/i | online | malware_download | 2026-06-09 |
hxxp://123.12.234.56:37612/bin.sh | online | malware_download | 2026-06-09 |
hxxp://27.215.121.47:46479/bin.sh | online | malware_download | 2026-06-09 |
hxxp://83.219.1.198:48121/i | online | malware_download | 2026-06-09 |
hxxp://182.113.206.245:32843/i | online | malware_download | 2026-06-09 |
hxxp://182.119.33.86:52707/i | online | malware_download | 2026-06-09 |
hxxp://202.107.96.28:50487/bin.sh | online | malware_download | 2026-06-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["202.107.96.28", "123.132.166.240", "182.113.206.245", "219.139.62.122", "110.39.233.226", "182.122.238.19", "61.52.195.207", "27.215.121.47", "123.11.13.197", "118.175.205.141", "60.22.103.101", "82.114.178.6", "196.190.105.170", "115.58.157.8", "112.249.216.4", "182.126.249.84", "221.13.251.233", "83.219.1.198", "222.138.116.23", "123.12.234.56", "182.119.33.86", "219.154.172.53"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["202.107.96.28", "123.132.166.240", "182.113.206.245", "219.139.62.122", "110.39.233.226", "182.122.238.19", "61.52.195.207", "27.215.121.47", "123.11.13.197", "118.175.205.141", "60.22.103.101", "82.114.178.6", "196.190.105.170", "115.58.157.8", "112.249.216.4", "182.126.249.84", "221.13.251.233", "83.219.1.198", "222.138.116.23", "123.12.234.56", "182.119.33.86", "219.154.172.53"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update using a known safe URL from URLhaus.
Filter/Exclusion: Exclude URLs that match known internal testing environments or URLs tagged as “safe” in the URLhaus database.
Scenario: A scheduled job runs a 32-bit script for legacy system maintenance, which includes a legitimate URL to a public CDN for resource loading.
Filter/Exclusion: Exclude URLs that originate from trusted CDNs (e.g., cdn.example.com) or are part of scheduled maintenance scripts.
Scenario: An IT admin is performing a system cleanup and uses a 32-bit tool that downloads a legitimate update from a known URL listed in URLhaus.
Filter/Exclusion: Exclude URLs associated with known internal update servers or tools like Sysinternals or Process Monitor.
Scenario: A developer is using a 32-bit version of a CI/CD tool (e.g., Jenkins) and the tool fetches a legitimate plugin from a public repository.
Filter/Exclusion: Exclude URLs that are part of CI/CD tool repositories (e.g., plugins.jenkins.io) or are tagged as “safe” in the URLhaus database.
Scenario: A user is accessing a 32-bit version of a cloud management tool (e.g., AWS CLI) which connects to AWS services using a URL that appears in URLhaus.
Filter/Exclusion: Exclude URLs that are part of known cloud service endpoints (e.g., s3.amazonaws.com) or are associated with legitimate cloud tooling.