The detection identifies potential 32-bit malware distribution through known malicious URLs listed in URLhaus, indicating an adversary may be attempting to deploy legacy malware to evade modern defenses. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware campaigns before they cause widespread damage.
IOC Summary
Threat: 32-bit Total URLs: 36 Active URLs: 35
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.39.238.29:51646/i | online | malware_download | 2026-06-10 |
hxxp://163.142.77.139:52992/i | online | malware_download | 2026-06-10 |
hxxp://203.99.183.203:56140/bin.sh | online | malware_download | 2026-06-10 |
hxxp://60.182.226.145:57513/bin.sh | online | malware_download | 2026-06-10 |
hxxp://219.157.191.201:33202/bin.sh | online | malware_download | 2026-06-10 |
hxxp://123.10.230.114:44681/bin.sh | online | malware_download | 2026-06-10 |
hxxp://182.121.152.94:33578/bin.sh | online | malware_download | 2026-06-10 |
hxxp://112.93.138.197:36350/i | online | malware_download | 2026-06-10 |
hxxp://95.9.35.137:36582/i | online | malware_download | 2026-06-10 |
hxxp://60.23.232.177:39809/bin.sh | offline | malware_download | 2026-06-10 |
hxxp://183.149.40.166:46758/bin.sh | online | malware_download | 2026-06-10 |
hxxp://115.55.196.212:56432/i | online | malware_download | 2026-06-10 |
hxxp://42.234.118.12:36234/i | online | malware_download | 2026-06-10 |
hxxp://115.55.196.212:56432/bin.sh | online | malware_download | 2026-06-10 |
hxxp://182.126.248.111:45277/i | online | malware_download | 2026-06-10 |
hxxp://115.55.55.2:58748/i | online | malware_download | 2026-06-10 |
hxxp://115.55.55.2:58748/bin.sh | online | malware_download | 2026-06-10 |
hxxp://182.126.248.111:45277/bin.sh | online | malware_download | 2026-06-10 |
hxxp://112.93.137.207:60944/i | online | malware_download | 2026-06-10 |
hxxp://42.238.169.120:55831/i | online | malware_download | 2026-06-10 |
hxxp://123.5.168.33:44628/i | online | malware_download | 2026-06-10 |
hxxp://61.52.186.135:47027/i | online | malware_download | 2026-06-10 |
hxxp://61.52.186.135:47027/bin.sh | online | malware_download | 2026-06-10 |
hxxp://123.5.168.33:44628/bin.sh | online | malware_download | 2026-06-10 |
hxxp://110.36.26.86:51819/bin.sh | online | malware_download | 2026-06-10 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["60.182.226.145", "183.149.40.166", "95.9.35.137", "115.55.196.212", "112.93.137.207", "42.238.169.120", "123.10.230.114", "110.36.26.86", "42.234.118.12", "182.126.248.111", "203.99.183.203", "219.157.191.201", "123.9.221.162", "61.52.186.135", "115.55.55.2", "163.142.77.139", "123.5.168.33", "182.121.152.94", "110.39.238.29", "42.226.215.4", "110.39.235.164", "112.93.138.197", "110.36.77.19", "27.207.34.27"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["60.182.226.145", "183.149.40.166", "95.9.35.137", "115.55.196.212", "112.93.137.207", "42.238.169.120", "123.10.230.114", "110.36.26.86", "42.234.118.12", "182.126.248.111", "203.99.183.203", "219.157.191.201", "123.9.221.162", "61.52.186.135", "115.55.55.2", "163.142.77.139", "123.5.168.33", "182.121.152.94", "110.39.238.29", "42.226.215.4", "110.39.235.164", "112.93.138.197", "110.36.77.19", "27.207.34.27"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate software update from a trusted vendor using 32-bit URLs
Filter/Exclusion: Exclude URLs containing known vendor domains (e.g., updates.microsoft.com, download.vmware.com) or use a regex to match official update endpoints.
Scenario: Scheduled system backup using a 32-bit tool (e.g., Veeam Backup & Replication)
Filter/Exclusion: Exclude URLs containing backup, restore, or specific backup tool identifiers (e.g., veeam.com) in the URL path.
Scenario: Admin task to download 32-bit drivers or patches from internal repository
Filter/Exclusion: Exclude URLs originating from internal IP ranges or internal domain names (e.g., intranet.corp.example.com) and filter by file extensions like .exe or .msi.
Scenario: User accessing a 32-bit application support page (e.g., Adobe Flash Player)
Filter/Exclusion: Exclude URLs containing support, download, or specific application names (e.g., flashplayer.adobe.com) and filter by user role (e.g., exclude non-admin users).
Scenario: Automated job to fetch 32-bit logs or metrics from a monitoring tool (e.g., Splunk, Datadog)
Filter/Exclusion: Exclude URLs containing logs, metrics, or specific API endpoints (e.g., /api/logs, /metrics) and filter by source IP or service name.