The hypothesis is that the detected URLs are likely used by adversaries to deliver 32-bit malware, which may bypass modern endpoint protections. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they cause widespread damage.
IOC Summary
Threat: 32-bit Total URLs: 67 Active URLs: 64
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://112.248.101.38:33181/bin.sh | online | malware_download | 2026-06-02 |
hxxp://119.117.97.211:57206/bin.sh | online | malware_download | 2026-06-02 |
hxxp://110.36.0.157:34258/bin.sh | online | malware_download | 2026-06-02 |
hxxp://61.53.95.252:54015/i | online | malware_download | 2026-06-02 |
hxxp://42.5.88.209:43300/i | online | malware_download | 2026-06-02 |
hxxp://216.249.4.20:38933/bin.sh | online | malware_download | 2026-06-02 |
hxxp://196.190.133.180:45257/i | online | malware_download | 2026-06-02 |
hxxp://42.239.224.201:60315/i | online | malware_download | 2026-06-02 |
hxxp://61.53.95.252:54015/bin.sh | online | malware_download | 2026-06-02 |
hxxp://27.202.24.147:53866/i | online | malware_download | 2026-06-02 |
hxxp://42.5.88.209:43300/bin.sh | online | malware_download | 2026-06-02 |
hxxp://115.50.4.185:50018/i | online | malware_download | 2026-06-02 |
hxxp://42.239.224.201:60315/bin.sh | online | malware_download | 2026-06-02 |
hxxp://27.202.24.147:53866/bin.sh | online | malware_download | 2026-06-02 |
hxxp://125.42.119.147:45585/i | online | malware_download | 2026-06-02 |
hxxp://175.167.102.166:44279/bin.sh | online | malware_download | 2026-06-02 |
hxxp://196.190.133.180:45257/bin.sh | online | malware_download | 2026-06-02 |
hxxp://125.42.119.147:45585/bin.sh | online | malware_download | 2026-06-02 |
hxxp://110.39.230.3:47945/bin.sh | online | malware_download | 2026-06-02 |
hxxp://125.43.46.172:47399/i | online | malware_download | 2026-06-02 |
hxxp://183.214.149.164:53688/i | online | malware_download | 2026-06-02 |
hxxp://125.43.46.172:47399/bin.sh | online | malware_download | 2026-06-02 |
hxxp://42.231.73.201:55747/i | online | malware_download | 2026-06-02 |
hxxp://119.179.253.10:59758/bin.sh | online | malware_download | 2026-06-02 |
hxxp://42.231.73.201:55747/bin.sh | online | malware_download | 2026-06-02 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["110.36.0.157", "42.5.88.209", "183.214.149.164", "27.202.24.147", "81.26.83.155", "36.250.202.123", "196.190.133.180", "110.39.230.3", "61.53.95.252", "196.191.104.3", "119.117.97.211", "175.167.102.166", "115.50.4.185", "216.249.4.20", "119.179.214.100", "125.43.46.172", "42.239.224.201", "112.248.101.38", "125.42.119.147", "119.179.253.10", "42.178.183.212", "42.231.73.201"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.36.0.157", "42.5.88.209", "183.214.149.164", "27.202.24.147", "81.26.83.155", "36.250.202.123", "196.190.133.180", "110.39.230.3", "61.53.95.252", "196.191.104.3", "119.117.97.211", "175.167.102.166", "115.50.4.185", "216.249.4.20", "119.179.214.100", "125.43.46.172", "42.239.224.201", "112.248.101.38", "125.42.119.147", "119.179.253.10", "42.178.183.212", "42.231.73.201"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update via a local file share using a URL like file://localhost/C:/temp/update.exe
Filter/Exclusion: Exclude URLs starting with file:// or containing localhost in the URL path.
Scenario: A scheduled job runs a PowerShell script that downloads a 32-bit diagnostic tool from an internal repository using a URL like http://internal-repo/tools/32bit_diag_tool.exe
Filter/Exclusion: Exclude URLs from internal IP ranges or internal domain names (e.g., internal-repo.example.com).
Scenario: A user is accessing a legitimate 32-bit web service (e.g., a legacy internal API) via a URL like https://api.example.com/v1/legacy-service
Filter/Exclusion: Exclude URLs that match known internal services or include specific API paths (e.g., /v1/legacy-service).
Scenario: A security tool like OSSEC or Tripwire is performing a system integrity check and generates a report via a URL like http://localhost:8888/report.html
Filter/Exclusion: Exclude URLs that originate from localhost or use non-routable IP addresses (e.g., 127.0.0.1, 192.168.x.x).
Scenario: A backup job is transferring a 32-bit application package from a NAS device using a URL-like path such as smb://nas-server/backups/app32bit.exe
Filter/Exclusion: Exclude URLs containing SMB protocol or paths that match known backup directories (e.g., /backups/, /nas-server/).