The detection identifies potential 32-bit malicious URLs sourced from URLhaus, which could be used to deliver malware or execute malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage adversary activity before it leads to broader compromise.
IOC Summary
Threat: 32-bit Total URLs: 17 Active URLs: 17
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://196.190.105.170:49330/i | online | malware_download | 2026-05-05 |
hxxp://196.190.105.170:49330/bin.sh | online | malware_download | 2026-05-05 |
hxxp://119.165.185.153:58773/bin.sh | online | malware_download | 2026-05-05 |
hxxp://196.190.224.62:59429/i | online | malware_download | 2026-05-05 |
hxxp://113.224.244.88:53118/i | online | malware_download | 2026-05-05 |
hxxp://42.224.168.94:56081/i | online | malware_download | 2026-05-05 |
hxxp://119.185.240.250:57170/bin.sh | online | malware_download | 2026-05-05 |
hxxp://42.224.168.94:56081/bin.sh | online | malware_download | 2026-05-05 |
hxxp://59.92.150.57:55948/bin.sh | online | malware_download | 2026-05-05 |
hxxp://196.190.224.62:59429/bin.sh | online | malware_download | 2026-05-05 |
hxxp://175.174.94.176:55997/bin.sh | online | malware_download | 2026-05-05 |
hxxp://36.70.142.109:32795/i | online | malware_download | 2026-05-05 |
hxxp://182.114.51.176:58965/bin.sh | online | malware_download | 2026-05-05 |
hxxp://27.193.203.41:59675/i | online | malware_download | 2026-05-05 |
hxxp://182.124.166.190:42275/i | online | malware_download | 2026-05-05 |
hxxp://60.160.171.138:57353/i | online | malware_download | 2026-05-05 |
hxxp://42.233.150.135:56846/i | online | malware_download | 2026-05-05 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["182.124.166.190", "27.193.203.41", "36.70.142.109", "196.190.105.170", "60.160.171.138", "119.165.185.153", "119.185.240.250", "42.224.168.94", "182.114.51.176", "42.233.150.135", "59.92.150.57", "113.224.244.88", "175.174.94.176", "196.190.224.62"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["182.124.166.190", "27.193.203.41", "36.70.142.109", "196.190.105.170", "60.160.171.138", "119.165.185.153", "119.185.240.250", "42.224.168.94", "182.114.51.176", "42.233.150.135", "59.92.150.57", "113.224.244.88", "175.174.94.176", "196.190.224.62"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update from a known internal repository.
Filter/Exclusion: Exclude URLs that match internal artifact repositories (e.g., artifactory.example.com, nexus.example.com).
Scenario: A scheduled job runs a PowerShell script to download and install a 32-bit legacy tool required for compatibility with older systems.
Filter/Exclusion: Exclude URLs containing powershell.exe or matching known internal script repositories (e.g., scripts.example.com).
Scenario: A user is accessing a legitimate 32-bit web service used for internal reporting, such as a BI tool hosted on a secure internal server.
Filter/Exclusion: Exclude URLs that match internal web services (e.g., bi.example.com, reporting.example.com).
Scenario: A developer is using a 32-bit version of a CI/CD tool (e.g., Jenkins) for testing purposes, and the tool is downloading dependencies from a trusted internal URL.
Filter/Exclusion: Exclude URLs that match internal CI/CD artifact URLs (e.g., ci-artifacts.example.com, jenkins.example.com).
Scenario: A system is running a scheduled backup task that connects to a 32-bit backup server using a known internal URL.
Filter/Exclusion: Exclude URLs that match internal backup servers (e.g., backup.example.com, backup-srv.example.com).