The hypothesis is that the detected URLs are likely used by adversaries to deliver 32-bit malware, which may bypass modern endpoint protections. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware distribution channels before they cause widespread compromise.
IOC Summary
Threat: 32-bit Total URLs: 21 Active URLs: 21
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://113.236.87.176:43444/i | online | malware_download | 2026-04-21 |
hxxp://115.50.202.74:59180/bin.sh | online | malware_download | 2026-04-21 |
hxxp://182.113.45.223:51635/i | online | malware_download | 2026-04-21 |
hxxp://113.236.87.176:43444/bin.sh | online | malware_download | 2026-04-21 |
hxxp://115.61.116.234:37178/i | online | malware_download | 2026-04-21 |
hxxp://182.113.45.223:51635/bin.sh | online | malware_download | 2026-04-21 |
hxxp://115.61.116.234:37178/bin.sh | online | malware_download | 2026-04-21 |
hxxp://123.8.7.51:49444/bin.sh | online | malware_download | 2026-04-21 |
hxxp://115.57.184.122:49912/i | online | malware_download | 2026-04-21 |
hxxp://36.92.154.218:40629/i | online | malware_download | 2026-04-21 |
hxxp://27.37.112.2:60780/i | online | malware_download | 2026-04-21 |
hxxp://115.57.184.122:49912/bin.sh | online | malware_download | 2026-04-21 |
hxxp://42.237.48.56:33520/bin.sh | online | malware_download | 2026-04-21 |
hxxp://112.240.175.123:44673/i | online | malware_download | 2026-04-21 |
hxxp://118.253.80.60:48921/i | online | malware_download | 2026-04-21 |
hxxp://125.41.142.253:56292/i | online | malware_download | 2026-04-21 |
hxxp://42.54.12.132:33929/bin.sh | online | malware_download | 2026-04-21 |
hxxp://118.253.80.60:48921/bin.sh | online | malware_download | 2026-04-21 |
hxxp://216.249.4.20:53881/i | online | malware_download | 2026-04-21 |
hxxp://42.235.92.76:60753/i | online | malware_download | 2026-04-21 |
hxxp://216.249.4.20:53881/bin.sh | online | malware_download | 2026-04-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["42.54.12.132", "42.235.92.76", "36.92.154.218", "42.237.48.56", "115.61.116.234", "115.57.184.122", "123.8.7.51", "216.249.4.20", "112.240.175.123", "27.37.112.2", "125.41.142.253", "113.236.87.176", "182.113.45.223", "115.50.202.74", "118.253.80.60"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.54.12.132", "42.235.92.76", "36.92.154.218", "42.237.48.56", "115.61.116.234", "115.57.184.122", "123.8.7.51", "216.249.4.20", "112.240.175.123", "27.37.112.2", "125.41.142.253", "113.236.87.176", "182.113.45.223", "115.50.202.74", "118.253.80.60"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via Microsoft Update
Filter/Exclusion: Exclude URLs containing windowsupdate.microsoft.com or update.microsoft.com
Rationale: Microsoft Update often uses URLs that match the 32-bit malicious URL pattern but are entirely legitimate.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude URLs containing veeam.com or backup.veeam.com
Rationale: Veeam’s backup processes may generate traffic to URLs that resemble malicious patterns but are part of normal operations.
Scenario: Admin task using PowerShell for system configuration
Filter/Exclusion: Exclude URLs containing powershell.org or powershell.com
Rationale: PowerShell scripts and documentation may be accessed from URLs that match the 32-bit malicious URL signature.
Scenario: Internal tool deployment via Jenkins CI/CD pipeline
Filter/Exclusion: Exclude URLs containing jenkins-ci.org or ci.jenkins.io
Rationale: Jenkins and other CI/CD platforms may use URLs that match the malicious URL pattern during artifact downloads or configuration pulls.
Scenario: User accessing internal documentation via Confluence
Filter/Exclusion: Exclude URLs containing confluence.atlassian.com or internal-docs.example.com
Rationale: Internal documentation sites may use URLs that match the 32-bit malicious URL signature but are part of normal user activity.