The hypothesis is that the detected URLs are likely 32-bit malicious payloads used by adversaries to deliver malware, leveraging outdated systems to evade modern detection. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of legacy systems that may lack modern security protections.
IOC Summary
Threat: 32-bit Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://182.126.126.34:54297/bin.sh | online | malware_download | 2026-06-04 |
hxxp://138.204.196.254:56825/bin.sh | online | malware_download | 2026-06-04 |
hxxp://123.5.144.157:57821/bin.sh | online | malware_download | 2026-06-04 |
hxxp://115.58.135.72:43125/i | online | malware_download | 2026-06-04 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["123.5.144.157", "138.204.196.254", "115.58.135.72", "182.126.126.34"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["123.5.144.157", "138.204.196.254", "115.58.135.72", "182.126.126.34"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update via a legitimate internal URL.
Filter/Exclusion: Exclude URLs containing the string internal.update or dev-internal in the domain.
Scenario: A scheduled job runs a 32-bit compatibility check using a known internal tool like CompatCheck.exe via a URL hosted on the company’s internal server.
Filter/Exclusion: Exclude URLs that match the internal server IP or domain internal.tools.corp.
Scenario: A user downloads a 32-bit version of a legitimate software tool (e.g., 7-Zip) from a company-approved repository, which includes a URL flagged by URLhaus.
Filter/Exclusion: Exclude URLs containing the hash of the legitimate software or the domain software.repo.corp.
Scenario: A security team member is performing a red team exercise and uses a 32-bit payload from a controlled environment, which is hosted on a test server.
Filter/Exclusion: Exclude URLs that include the substring testenv or originate from the IP range 192.168.10.0/24.
Scenario: A system is running a 32-bit version of a legitimate enterprise application (e.g., Microsoft Office 32-bit) and the application’s update mechanism uses a URL that is mistakenly flagged.
Filter/Exclusion: Exclude URLs that match the application name and version, such as office32.update.microsoft.com.