The hypothesis is that the detected URLs are likely used by adversaries to deliver 32-bit malware, which may bypass modern endpoint protections. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of 32-bit systems.
IOC Summary
Threat: 32-bit Total URLs: 37 Active URLs: 36
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://163.142.86.138:60944/i | offline | malware_download | 2026-06-05 |
hxxp://182.113.202.170:36412/i | online | malware_download | 2026-06-05 |
hxxp://110.36.1.200:53411/i | online | malware_download | 2026-06-05 |
hxxp://125.43.33.196:39064/bin.sh | online | malware_download | 2026-06-05 |
hxxp://123.14.32.97:42939/bin.sh | online | malware_download | 2026-06-05 |
hxxp://27.215.53.135:55865/i | online | malware_download | 2026-06-05 |
hxxp://182.113.202.170:36412/bin.sh | online | malware_download | 2026-06-05 |
hxxp://123.11.77.199:53437/i | online | malware_download | 2026-06-05 |
hxxp://123.11.77.199:53437/bin.sh | online | malware_download | 2026-06-05 |
hxxp://42.229.151.147:52080/bin.sh | online | malware_download | 2026-06-05 |
hxxp://39.78.182.101:34099/bin.sh | online | malware_download | 2026-06-05 |
hxxp://182.127.178.140:59972/i | online | malware_download | 2026-06-05 |
hxxp://27.215.53.135:55865/bin.sh | online | malware_download | 2026-06-05 |
hxxp://27.220.114.3:48953/i | online | malware_download | 2026-06-05 |
hxxp://182.119.71.160:55615/i | online | malware_download | 2026-06-05 |
hxxp://39.78.182.101:34099/i | online | malware_download | 2026-06-05 |
hxxp://182.127.178.140:59972/bin.sh | online | malware_download | 2026-06-05 |
hxxp://42.231.31.141:54460/bin.sh | online | malware_download | 2026-06-05 |
hxxp://125.45.156.130:59062/bin.sh | online | malware_download | 2026-06-05 |
hxxp://42.226.223.139:53794/i | online | malware_download | 2026-06-05 |
hxxp://42.226.223.139:53794/bin.sh | online | malware_download | 2026-06-05 |
hxxp://182.112.14.59:38383/i | online | malware_download | 2026-06-05 |
hxxp://27.204.197.147:39822/i | online | malware_download | 2026-06-05 |
hxxp://175.146.244.185:50487/bin.sh | online | malware_download | 2026-06-05 |
hxxp://175.146.244.185:50487/i | online | malware_download | 2026-06-05 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["222.141.26.232", "42.229.151.147", "182.127.178.140", "123.11.77.199", "182.119.71.160", "182.112.14.59", "39.78.182.101", "27.215.53.135", "182.113.202.170", "115.55.117.53", "42.231.31.141", "42.226.223.139", "125.43.33.196", "125.45.156.130", "110.36.1.200", "27.204.197.147", "123.14.32.97", "27.220.114.3", "112.248.103.32", "175.146.244.185"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["222.141.26.232", "42.229.151.147", "182.127.178.140", "123.11.77.199", "182.119.71.160", "182.112.14.59", "39.78.182.101", "27.215.53.135", "182.113.202.170", "115.55.117.53", "42.231.31.141", "42.226.223.139", "125.43.33.196", "125.45.156.130", "110.36.1.200", "27.204.197.147", "123.14.32.97", "27.220.114.3", "112.248.103.32", "175.146.244.185"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update using a known safe URL from URLhaus.
Filter/Exclusion: Exclude URLs that match the urlhaus tag and are associated with known safe 32-bit software updates.
Scenario: A scheduled job runs a nightly backup script that uses a 32-bit tool (e.g., rsync or tar) and generates a temporary URL for file transfer.
Filter/Exclusion: Exclude URLs that are part of internal file transfer protocols (e.g., ftp://, scp://, or sftp://) or originate from internal IP ranges.
Scenario: A developer is using a 32-bit version of a CI/CD tool (e.g., Jenkins or GitLab Runner) to build a project, which triggers a URL for artifact download.
Filter/Exclusion: Exclude URLs that are associated with CI/CD artifact repositories (e.g., artifactory, Nexus, or Jenkinsfile URLs).
Scenario: An IT team is performing a system cleanup and uses a 32-bit diagnostic tool (e.g., Process Explorer or SysInternals) that generates a temporary URL for log file download.
Filter/Exclusion: Exclude URLs that are associated with internal log management systems (e.g., Splunk, ELK, or Graylog) or are flagged as internal by IP or domain.
Scenario: A user is accessing a 32-bit version of a legitimate enterprise application (e.g., Microsoft Office 32-bit) through a company-issued URL.
Filter/Exclusion: Exclude URLs that are part of the company’s internal software distribution portal or are whitelisted in the enterprise URL filtering policy.