The detection identifies potential 32-bit malicious URLs sourced from URLhaus, which could be used by adversaries to deliver malware or execute malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage attacks that bypass traditional defenses.
IOC Summary
Threat: 32-bit Total URLs: 35 Active URLs: 32
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://60.18.97.63:43700/bin.sh | online | malware_download | 2026-05-27 |
hxxp://125.24.12.130:49384/i | online | malware_download | 2026-05-27 |
hxxp://123.4.135.84:55039/i | online | malware_download | 2026-05-27 |
hxxp://27.202.243.200:32801/bin.sh | online | malware_download | 2026-05-27 |
hxxp://123.4.135.84:55039/bin.sh | online | malware_download | 2026-05-27 |
hxxp://222.137.97.125:34845/i | online | malware_download | 2026-05-27 |
hxxp://125.24.12.130:49384/bin.sh | online | malware_download | 2026-05-27 |
hxxp://115.50.38.230:47211/i | online | malware_download | 2026-05-27 |
hxxp://222.137.97.125:34845/bin.sh | online | malware_download | 2026-05-27 |
hxxp://115.50.38.230:47211/bin.sh | online | malware_download | 2026-05-27 |
hxxp://219.155.202.183:54442/i | online | malware_download | 2026-05-27 |
hxxp://219.155.202.183:54442/bin.sh | online | malware_download | 2026-05-27 |
hxxp://122.138.235.31:54273/i | online | malware_download | 2026-05-27 |
hxxp://117.24.142.240:35878/i | online | malware_download | 2026-05-27 |
hxxp://66.212.185.81:35901/i | online | malware_download | 2026-05-27 |
hxxp://221.14.39.44:43991/bin.sh | offline | malware_download | 2026-05-27 |
hxxp://27.202.243.200:32801/i | online | malware_download | 2026-05-27 |
hxxp://122.138.235.31:54273/bin.sh | offline | malware_download | 2026-05-27 |
hxxp://125.41.220.67:46910/i | online | malware_download | 2026-05-27 |
hxxp://66.212.185.81:35901/bin.sh | online | malware_download | 2026-05-27 |
hxxp://115.55.171.213:55190/i | online | malware_download | 2026-05-27 |
hxxp://125.41.220.67:46910/bin.sh | online | malware_download | 2026-05-27 |
hxxp://42.54.127.205:55911/i | online | malware_download | 2026-05-27 |
hxxp://115.55.171.213:55190/bin.sh | online | malware_download | 2026-05-27 |
hxxp://119.118.236.154:36282/bin.sh | online | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["110.39.239.253", "60.18.97.63", "122.138.235.31", "125.45.9.91", "119.118.236.154", "110.37.50.192", "42.54.127.205", "219.155.202.183", "222.138.137.32", "125.24.12.130", "85.12.229.54", "115.50.38.230", "222.137.97.125", "125.41.220.67", "115.55.171.213", "123.4.135.84", "117.24.142.240", "27.202.243.200", "115.58.166.13", "66.212.185.81", "60.18.199.186"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.39.239.253", "60.18.97.63", "122.138.235.31", "125.45.9.91", "119.118.236.154", "110.37.50.192", "42.54.127.205", "219.155.202.183", "222.138.137.32", "125.24.12.130", "85.12.229.54", "115.50.38.230", "222.137.97.125", "125.41.220.67", "115.55.171.213", "123.4.135.84", "117.24.142.240", "27.202.243.200", "115.58.166.13", "66.212.185.81", "60.18.199.186"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via Microsoft Update
Filter/Exclusion: Exclude URLs containing windowsupdate.microsoft.com or update.microsoft.com
Rationale: Microsoft’s update servers often use 32-bit URLs as part of their distribution process.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude URLs containing veeam.com or backup.velociraptor.com
Rationale: Veeam and similar tools may use 32-bit URLs during backup operations.
Scenario: Admin task using PowerShell for system configuration
Filter/Exclusion: Exclude URLs containing powershellgallery.com or download.microsoft.com
Rationale: PowerShell scripts and modules are often downloaded from these domains and may use 32-bit URLs.
Scenario: Internal tool deployment via SCCM (System Center Configuration Manager)
Filter/Exclusion: Exclude URLs containing sccm.microsoft.com or internal.tools.company.com
Rationale: SCCM and internal deployment tools frequently use 32-bit URLs for software distribution.
Scenario: User accessing a legacy 32-bit application via a company portal
Filter/Exclusion: Exclude URLs containing legacyapps.company.com or appstore.company.com
Rationale: Some legacy applications may still use 32-bit URLs even in a modern enterprise environment.