The detection identifies potential 32-bit malware delivery vectors through known malicious URLs listed in URLhaus, which are commonly used by adversaries to bypass modern system protections. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage attacks that leverage outdated 32-bit payloads to evade detection.
IOC Summary
Threat: 32-bit Total URLs: 39 Active URLs: 38
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://42.57.185.22:41008/bin.sh | online | malware_download | 2026-06-26 |
hxxp://125.45.48.186:60923/i | online | malware_download | 2026-06-26 |
hxxp://125.45.48.186:60923/bin.sh | online | malware_download | 2026-06-26 |
hxxp://221.14.106.251:51641/i | online | malware_download | 2026-06-26 |
hxxp://163.142.95.89:33034/bin.sh | online | malware_download | 2026-06-26 |
hxxp://219.157.50.47:60734/i | online | malware_download | 2026-06-26 |
hxxp://115.63.144.3:51087/i | online | malware_download | 2026-06-26 |
hxxp://89.233.194.35:54378/i | online | malware_download | 2026-06-26 |
hxxp://42.235.93.247:36757/i | online | malware_download | 2026-06-26 |
hxxp://42.57.55.36:35817/i | online | malware_download | 2026-06-26 |
hxxp://115.63.243.28:60153/i | online | malware_download | 2026-06-26 |
hxxp://105.224.14.166:57541/i | online | malware_download | 2026-06-26 |
hxxp://182.117.68.242:53312/i | online | malware_download | 2026-06-26 |
hxxp://42.224.144.21:50252/bin.sh | online | malware_download | 2026-06-26 |
hxxp://105.184.80.27:37441/i | online | malware_download | 2026-06-26 |
hxxp://42.235.93.247:36757/bin.sh | online | malware_download | 2026-06-26 |
hxxp://185.205.226.191:58124/i | online | malware_download | 2026-06-26 |
hxxp://171.213.175.245:60875/i | online | malware_download | 2026-06-26 |
hxxp://185.205.226.191:58124/bin.sh | online | malware_download | 2026-06-26 |
hxxp://115.63.243.28:60153/bin.sh | online | malware_download | 2026-06-26 |
hxxp://105.224.14.166:57541/bin.sh | online | malware_download | 2026-06-26 |
hxxp://120.85.60.27:43042/bin.sh | online | malware_download | 2026-06-26 |
hxxp://119.117.173.66:36078/i | online | malware_download | 2026-06-26 |
hxxp://105.184.80.27:37441/bin.sh | online | malware_download | 2026-06-26 |
hxxp://182.119.228.137:52060/i | online | malware_download | 2026-06-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["42.57.185.22", "42.235.52.206", "125.45.48.186", "219.157.50.47", "105.224.14.166", "42.235.93.247", "105.184.80.27", "119.117.173.66", "110.38.230.102", "115.63.144.3", "182.117.68.242", "221.14.106.251", "185.205.226.191", "39.63.144.61", "42.57.55.36", "89.233.194.35", "42.224.144.21", "163.142.95.89", "115.63.243.28", "182.119.228.137", "120.85.60.27", "171.213.175.245"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.57.185.22", "42.235.52.206", "125.45.48.186", "219.157.50.47", "105.224.14.166", "42.235.93.247", "105.184.80.27", "119.117.173.66", "110.38.230.102", "115.63.144.3", "182.117.68.242", "221.14.106.251", "185.205.226.191", "39.63.144.61", "42.57.55.36", "89.233.194.35", "42.224.144.21", "163.142.95.89", "115.63.243.28", "182.119.228.137", "120.85.60.27", "171.213.175.245"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate software update from a trusted vendor (e.g., Microsoft Windows Update) includes a 32-bit URL in its deployment script.
Filter/Exclusion: Exclude URLs containing windowsupdate.microsoft.com or update.microsoft.com in the domain field.
Scenario: A system administrator manually runs a 32-bit version of a legitimate tool (e.g., 7-Zip or WinRAR) for compatibility with older systems.
Filter/Exclusion: Exclude URLs containing 7-zip.org or win.rar in the domain field, or filter by user agent indicating administrative tasks.
Scenario: A scheduled job (e.g., PowerShell script) is configured to download a 32-bit version of a legitimate application (e.g., SQL Server) from an internal repository.
Filter/Exclusion: Exclude URLs containing internal-repo.company.com or sqlserver.com in the domain field, or filter by source IP from the internal network.
Scenario: A user accesses a 32-bit version of a legitimate tool (e.g., Notepad++) via a bookmark or saved link during a system compatibility check.
Filter/Exclusion: Exclude URLs containing notepad-plus-plus.org or download.notepad-plus-plus.org in the domain field, or filter by user behavior indicating non-malicious activity.
Scenario: A DevOps pipeline (e.g., Jenkins or GitLab CI) uses a 32-bit artifact (e.g., Java JDK) from a public repository (e.g., archive.org or sourceforge.net).
Filter/Exclusion: Exclude URLs containing archive.org, sourceforge.net, or jenkins.io in the domain field, or filter by process name related to CI/CD tools.