Adversaries may use 32-bit malicious URLs to deliver payloads that bypass modern endpoint protections. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise vectors before they lead to data exfiltration or system control.
IOC Summary
Threat: 32-bit Total URLs: 55 Active URLs: 48
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://42.225.200.199:49519/i | online | malware_download | 2026-05-28 |
hxxp://42.232.91.105:45833/bin.sh | online | malware_download | 2026-05-28 |
hxxp://42.225.200.199:49519/bin.sh | online | malware_download | 2026-05-28 |
hxxp://61.52.60.16:37983/i | online | malware_download | 2026-05-28 |
hxxp://78.166.221.98:40605/i | online | malware_download | 2026-05-28 |
hxxp://27.207.125.29:41259/i | online | malware_download | 2026-05-28 |
hxxp://110.36.15.1:49928/i | online | malware_download | 2026-05-28 |
hxxp://110.37.13.16:50616/bin.sh | online | malware_download | 2026-05-28 |
hxxp://42.237.62.37:48980/i | online | malware_download | 2026-05-28 |
hxxp://110.186.231.55:40457/i | online | malware_download | 2026-05-28 |
hxxp://185.82.111.122:58497/i | online | malware_download | 2026-05-28 |
hxxp://125.43.22.202:45035/i | online | malware_download | 2026-05-28 |
hxxp://110.186.231.55:40457/bin.sh | online | malware_download | 2026-05-28 |
hxxp://125.40.66.3:46505/i | online | malware_download | 2026-05-28 |
hxxp://185.82.111.122:58497/bin.sh | online | malware_download | 2026-05-28 |
hxxp://95.9.35.137:49975/i | online | malware_download | 2026-05-28 |
hxxp://27.207.125.29:41259/bin.sh | online | malware_download | 2026-05-28 |
hxxp://115.56.176.215:51941/i | online | malware_download | 2026-05-28 |
hxxp://113.228.155.183:53476/i | online | malware_download | 2026-05-28 |
hxxp://115.56.176.215:51941/bin.sh | online | malware_download | 2026-05-28 |
hxxp://42.225.200.238:52999/i | online | malware_download | 2026-05-28 |
hxxp://95.9.35.137:49975/bin.sh | online | malware_download | 2026-05-28 |
hxxp://182.187.137.7:56824/bin.sh | offline | malware_download | 2026-05-28 |
hxxp://148.170.135.198:51859/i | online | malware_download | 2026-05-28 |
hxxp://113.228.155.183:53476/bin.sh | online | malware_download | 2026-05-28 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["95.9.35.137", "148.170.135.198", "110.186.231.55", "27.207.125.29", "61.52.60.16", "42.225.200.199", "115.55.238.60", "110.85.99.229", "125.43.22.202", "113.228.155.183", "115.56.176.215", "78.166.221.98", "42.225.200.238", "110.36.15.1", "42.232.91.105", "125.40.66.3", "42.237.62.37", "185.82.111.122", "182.113.254.9", "110.37.13.16"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["95.9.35.137", "148.170.135.198", "110.186.231.55", "27.207.125.29", "61.52.60.16", "42.225.200.199", "115.55.238.60", "110.85.99.229", "125.43.22.202", "113.228.155.183", "115.56.176.215", "78.166.221.98", "42.225.200.238", "110.36.15.1", "42.232.91.105", "125.40.66.3", "42.237.62.37", "185.82.111.122", "182.113.254.9", "110.37.13.16"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update via Microsoft Update
Description: A legitimate scheduled task runs Microsoft Update, which may download a 32-bit URLhaus-listed URL as part of a patch.
Filter/Exclusion: Exclude URLs containing windowsupdate.microsoft.com or update.microsoft.com in the url field.
Scenario: Internal Software Repository Access
Description: A user accesses a 32-bit executable from an internal software repository (e.g., Nexus, Artifactory) that is flagged by the rule due to its URL structure.
Filter/Exclusion: Exclude URLs containing internal-repo.example.com or nexus.example.com in the url field.
Scenario: Admin Task for Log Collection via Splunk
Description: An admin task runs a script to collect logs from a Splunk server, which may use a 32-bit URLhaus URL for data ingestion.
Filter/Exclusion: Exclude URLs containing splunk.example.com or splunkforwarder in the url field.
Scenario: Automated Backup Job to Cloud Storage
Description: A backup job uploads files to a cloud storage service (e.g., AWS S3, Azure Blob Storage) using a 32-bit URLhaus URL for temporary storage.
Filter/Exclusion: Exclude URLs containing s3.amazonaws.com, blob.core.windows.net, or storage.example.com in the url field.
Scenario: User-Initiated Download of 32-bit Legacy Software
Description: A user downloads a 32-bit version of a legacy application (e.g., Adobe Reader, Java) from a trusted source, which is mistakenly flagged by the rule.
Filter/Exclusion: Exclude URLs containing adobe.com, java.com, or `