The hypothesis is that the detected URLs are likely used by adversaries to deliver 32-bit malicious payloads, leveraging outdated systems to evade modern detection mechanisms. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of legacy systems that may lack up-to-date defenses.
IOC Summary
Threat: 32-bit Total URLs: 44 Active URLs: 43
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://1.62.250.51:36599/i | online | malware_download | 2026-06-01 |
hxxp://182.130.208.219:35908/bin.sh | online | malware_download | 2026-06-01 |
hxxp://123.14.233.95:35889/i | online | malware_download | 2026-06-01 |
hxxp://1.62.250.51:36599/bin.sh | online | malware_download | 2026-06-01 |
hxxp://183.196.29.73:5666/i | online | malware_download | 2026-06-01 |
hxxp://42.177.199.107:34359/i | online | malware_download | 2026-06-01 |
hxxp://39.79.135.87:48666/i | online | malware_download | 2026-06-01 |
hxxp://196.190.133.180:35873/i | online | malware_download | 2026-06-01 |
hxxp://46.158.238.183:34073/bin.sh | online | malware_download | 2026-06-01 |
hxxp://39.79.135.87:48666/bin.sh | online | malware_download | 2026-06-01 |
hxxp://183.196.29.73:5666/bin.sh | online | malware_download | 2026-06-01 |
hxxp://123.14.233.95:35889/bin.sh | online | malware_download | 2026-06-01 |
hxxp://117.26.110.3:38787/i | online | malware_download | 2026-06-01 |
hxxp://61.53.87.54:34863/i | online | malware_download | 2026-06-01 |
hxxp://123.5.138.140:48120/bin.sh | online | malware_download | 2026-06-01 |
hxxp://42.232.100.206:52735/i | online | malware_download | 2026-06-01 |
hxxp://110.37.14.156:56637/bin.sh | online | malware_download | 2026-06-01 |
hxxp://221.214.173.46:36461/bin.sh | online | malware_download | 2026-06-01 |
hxxp://196.190.133.180:35873/bin.sh | online | malware_download | 2026-06-01 |
hxxp://61.53.87.54:34863/bin.sh | online | malware_download | 2026-06-01 |
hxxp://110.36.65.9:41689/i | online | malware_download | 2026-06-01 |
hxxp://117.26.110.3:38787/bin.sh | online | malware_download | 2026-06-01 |
hxxp://61.53.126.95:50316/i | online | malware_download | 2026-06-01 |
hxxp://42.232.100.206:52735/bin.sh | online | malware_download | 2026-06-01 |
hxxp://110.36.65.9:41689/bin.sh | online | malware_download | 2026-06-01 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["46.158.238.183", "110.36.65.9", "123.5.138.140", "61.53.126.95", "196.190.133.180", "171.213.224.180", "110.37.14.156", "42.232.100.206", "221.214.173.46", "39.79.135.87", "42.177.199.107", "61.53.87.54", "123.14.233.95", "117.26.110.3", "182.121.40.183", "103.167.175.121", "1.62.250.51", "42.56.204.209", "183.196.29.73", "182.130.208.219", "39.65.248.48"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["46.158.238.183", "110.36.65.9", "123.5.138.140", "61.53.126.95", "196.190.133.180", "171.213.224.180", "110.37.14.156", "42.232.100.206", "221.214.173.46", "39.79.135.87", "42.177.199.107", "61.53.87.54", "123.14.233.95", "117.26.110.3", "182.121.40.183", "103.167.175.121", "1.62.250.51", "42.56.204.209", "183.196.29.73", "182.130.208.219", "39.65.248.48"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update via a local URL.
Filter/Exclusion: Exclude URLs containing internal or localhost in the domain or path.
Scenario: A scheduled job runs a 32-bit legacy application update from a known internal repository.
Filter/Exclusion: Exclude URLs that match internal IP ranges or internal domain names like intranet.example.com.
Scenario: A user is accessing a 32-bit version of a legitimate tool (e.g., 7-Zip) via a company-issued USB drive.
Filter/Exclusion: Exclude URLs that are local file paths or contain usb or drive in the URL.
Scenario: A security team is performing a red team exercise and uses a 32-bit payload from a controlled environment.
Filter/Exclusion: Exclude URLs that are flagged as internal test environments or contain redteam or test in the path.
Scenario: A developer is using a 32-bit version of a CI/CD tool (e.g., Jenkins) for compatibility with older systems.
Filter/Exclusion: Exclude URLs that are associated with internal CI/CD pipelines or contain jenkins or ci in the domain.