The detection identifies potential 32-bit malware distribution via malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could evade traditional detection methods.
IOC Summary
Threat: 32-bit Total URLs: 49 Active URLs: 45
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.60.251.227:33304/i | online | malware_download | 2026-05-23 |
hxxp://115.51.106.218:54137/i | online | malware_download | 2026-05-23 |
hxxp://42.239.255.9:53385/i | online | malware_download | 2026-05-23 |
hxxp://115.60.251.227:33304/bin.sh | online | malware_download | 2026-05-23 |
hxxp://60.19.145.126:35723/i | online | malware_download | 2026-05-23 |
hxxp://60.19.145.126:35723/bin.sh | online | malware_download | 2026-05-23 |
hxxp://115.51.106.218:54137/bin.sh | online | malware_download | 2026-05-23 |
hxxp://110.36.18.169:60179/i | online | malware_download | 2026-05-23 |
hxxp://115.55.246.37:36676/i | online | malware_download | 2026-05-23 |
hxxp://27.153.144.16:50794/bin.sh | online | malware_download | 2026-05-23 |
hxxp://110.36.12.61:47812/bin.sh | online | malware_download | 2026-05-23 |
hxxp://125.47.250.22:38670/i | online | malware_download | 2026-05-23 |
hxxp://110.36.18.169:60179/bin.sh | online | malware_download | 2026-05-23 |
hxxp://119.187.177.2:39933/i | online | malware_download | 2026-05-23 |
hxxp://182.113.207.29:38926/i | online | malware_download | 2026-05-23 |
hxxp://119.187.177.2:39933/bin.sh | online | malware_download | 2026-05-23 |
hxxp://175.150.76.222:48442/i | online | malware_download | 2026-05-23 |
hxxp://112.248.191.212:50906/bin.sh | online | malware_download | 2026-05-23 |
hxxp://115.55.246.37:36676/bin.sh | online | malware_download | 2026-05-23 |
hxxp://175.150.76.222:48442/bin.sh | online | malware_download | 2026-05-23 |
hxxp://123.12.156.24:41276/i | online | malware_download | 2026-05-23 |
hxxp://110.36.13.229:60616/bin.sh | online | malware_download | 2026-05-23 |
hxxp://110.37.119.220:57287/bin.sh | online | malware_download | 2026-05-23 |
hxxp://182.113.207.29:38926/bin.sh | online | malware_download | 2026-05-22 |
hxxp://42.227.203.209:49145/i | online | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["115.51.106.218", "123.12.156.24", "42.239.255.9", "60.19.145.126", "112.248.191.212", "42.230.47.18", "175.150.76.222", "110.36.12.61", "115.55.246.37", "119.187.177.2", "110.36.18.169", "42.227.203.209", "125.47.250.22", "182.113.207.29", "182.117.54.55", "27.153.144.16", "115.60.251.227", "175.149.83.3", "110.36.13.229", "61.53.138.169", "110.37.119.220"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.51.106.218", "123.12.156.24", "42.239.255.9", "60.19.145.126", "112.248.191.212", "42.230.47.18", "175.150.76.222", "110.36.12.61", "115.55.246.37", "119.187.177.2", "110.36.18.169", "42.227.203.209", "125.47.250.22", "182.113.207.29", "182.117.54.55", "27.153.144.16", "115.60.251.227", "175.149.83.3", "110.36.13.229", "61.53.138.169", "110.37.119.220"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update using a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus tag and are associated with known safe testing environments or internal staging servers.
Scenario: A scheduled job runs a script to download and verify 32-bit software updates from a trusted source, which coincidentally matches a URL in the URLhaus database.
Filter/Exclusion: Exclude URLs that are part of a known update or patching process, such as those from Microsoft, Adobe, or VMware update servers.
Scenario: An IT admin is performing a system cleanup and uses a legitimate 32-bit tool (e.g., 7-Zip, WinRAR, or Notepad++) that is flagged due to a false positive in the URLhaus database.
Filter/Exclusion: Exclude URLs that are associated with legitimate software download domains or internal software repositories.
Scenario: A user is accessing a 32-bit version of a legitimate enterprise tool (e.g., SQL Server, Exchange, or SharePoint) via a URL that is mistakenly listed in URLhaus.
Filter/Exclusion: Exclude URLs that are part of enterprise software deployment pipelines or internal software distribution platforms.
Scenario: A security tool or SIEM system is configured to fetch and analyze 32-bit malware samples from a trusted source, and the URL is flagged by the rule.
Filter/Exclusion: Exclude URLs that are part of a known security tooling or threat intelligence integration, such as those used by CrowdStrike, Microsoft Defender, or SentinelOne.