The detection identifies potential 32-bit malicious URLs sourced from URLhaus, which could be used to deliver malware or execute malicious payloads. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage adversary activity targeting legacy systems.
IOC Summary
Threat: 32-bit Total URLs: 36 Active URLs: 36
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://39.78.47.223:45082/i | online | malware_download | 2026-04-19 |
hxxp://210.10.180.153:42905/bin.sh | online | malware_download | 2026-04-19 |
hxxp://117.63.138.35:39589/bin.sh | online | malware_download | 2026-04-19 |
hxxp://110.37.3.239:52184/bin.sh | online | malware_download | 2026-04-19 |
hxxp://175.148.158.226:55588/bin.sh | online | malware_download | 2026-04-19 |
hxxp://42.239.252.55:43722/bin.sh | online | malware_download | 2026-04-19 |
hxxp://123.13.140.59:43971/i | online | malware_download | 2026-04-19 |
hxxp://115.60.209.65:42222/i | online | malware_download | 2026-04-19 |
hxxp://105.184.190.66:34947/i | online | malware_download | 2026-04-19 |
hxxp://123.134.58.161:47020/i | online | malware_download | 2026-04-19 |
hxxp://39.78.47.223:45082/bin.sh | online | malware_download | 2026-04-19 |
hxxp://39.81.219.237:37545/i | online | malware_download | 2026-04-19 |
hxxp://123.11.73.96:52320/bin.sh | online | malware_download | 2026-04-19 |
hxxp://115.60.209.65:42222/bin.sh | online | malware_download | 2026-04-19 |
hxxp://105.184.190.66:34947/bin.sh | online | malware_download | 2026-04-19 |
hxxp://123.134.58.161:47020/bin.sh | online | malware_download | 2026-04-19 |
hxxp://110.37.121.43:55232/i | online | malware_download | 2026-04-19 |
hxxp://39.81.219.237:37545/bin.sh | online | malware_download | 2026-04-19 |
hxxp://42.234.140.72:56418/bin.sh | online | malware_download | 2026-04-19 |
hxxp://110.39.239.253:58972/i | online | malware_download | 2026-04-19 |
hxxp://27.200.102.72:52819/i | online | malware_download | 2026-04-19 |
hxxp://110.37.61.34:53937/i | online | malware_download | 2026-04-19 |
hxxp://110.37.121.43:55232/bin.sh | online | malware_download | 2026-04-19 |
hxxp://42.179.8.152:39937/bin.sh | online | malware_download | 2026-04-19 |
hxxp://110.39.239.253:58972/bin.sh | online | malware_download | 2026-04-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["110.37.61.34", "123.11.73.96", "175.148.158.226", "115.60.209.65", "42.179.8.152", "27.200.102.72", "42.239.252.55", "210.10.180.153", "105.184.190.66", "110.37.3.239", "61.53.125.53", "123.134.58.161", "123.13.140.59", "42.234.140.72", "115.50.46.18", "110.37.121.43", "39.78.47.223", "117.63.138.35", "117.248.31.185", "110.39.239.253", "39.81.219.237"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.37.61.34", "123.11.73.96", "175.148.158.226", "115.60.209.65", "42.179.8.152", "27.200.102.72", "42.239.252.55", "210.10.180.153", "105.184.190.66", "110.37.3.239", "61.53.125.53", "123.134.58.161", "123.13.140.59", "42.234.140.72", "115.50.46.18", "110.37.121.43", "39.78.47.223", "117.63.138.35", "117.248.31.185", "110.39.239.253", "39.81.219.237"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application using a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus tag and are associated with known safe testing environments or internal validation tools (e.g., curl, wget, or PowerShell scripts used in QA processes).
Scenario: A scheduled job runs a 32-bit legacy application that requires accessing a specific internal URL for configuration updates.
Filter/Exclusion: Exclude URLs that are part of internal infrastructure (e.g., internal-registry.example.com) or that match known internal service endpoints used by legacy systems.
Scenario: A user is downloading a 32-bit version of a legitimate software tool (e.g., 7-Zip, Notepad++) from a trusted source, which is mistakenly flagged by the rule.
Filter/Exclusion: Exclude URLs that are known to host legitimate 32-bit software downloads (e.g., https://downloads.sourceforge.net/project/7zip/7-Zip/19.00/7z1900.exe).
Scenario: A system is running a 32-bit version of a virtualization tool (e.g., VirtualBox) and is accessing a URL for plugin updates.
Filter/Exclusion: Exclude URLs that are associated with virtualization tools or their update servers (e.g., https://download.virtualbox.org/virtualbox/).
Scenario: A security analyst is using a 32-bit sandbox environment to analyze malware, and the sandbox is accessing URLs from URLhaus for testing.
Filter/Exclusion: Exclude URLs that are part of a sandboxed environment or that match known sandboxing toolchains (e.g., Cuckoo Sandbox, Joe Sandbox, or Binary Ninja).