The detection identifies potential 32-bit malware distribution through malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could evade traditional detection methods.
IOC Summary
Threat: 32-bit Total URLs: 46 Active URLs: 45
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://219.155.237.134:47361/bin.sh | online | malware_download | 2026-05-26 |
hxxp://123.9.195.177:48216/i | online | malware_download | 2026-05-26 |
hxxp://182.116.54.100:39811/i | online | malware_download | 2026-05-26 |
hxxp://27.37.102.183:52992/i | online | malware_download | 2026-05-26 |
hxxp://175.173.85.107:36152/i | online | malware_download | 2026-05-26 |
hxxp://201.110.53.143:48661/i | online | malware_download | 2026-05-26 |
hxxp://175.173.85.107:36152/bin.sh | online | malware_download | 2026-05-26 |
hxxp://115.49.66.242:37194/i | online | malware_download | 2026-05-26 |
hxxp://110.36.80.171:37393/i | online | malware_download | 2026-05-26 |
hxxp://115.56.42.47:33708/i | online | malware_download | 2026-05-26 |
hxxp://175.165.109.28:44213/i | online | malware_download | 2026-05-26 |
hxxp://124.163.53.51:48861/i | online | malware_download | 2026-05-26 |
hxxp://112.248.187.78:38413/bin.sh | online | malware_download | 2026-05-26 |
hxxp://110.85.99.109:38787/i | online | malware_download | 2026-05-26 |
hxxp://42.235.73.158:59547/i | online | malware_download | 2026-05-26 |
hxxp://219.155.9.68:55778/i | online | malware_download | 2026-05-26 |
hxxp://175.165.109.28:44213/bin.sh | online | malware_download | 2026-05-26 |
hxxp://124.163.53.51:48861/bin.sh | online | malware_download | 2026-05-26 |
hxxp://123.9.195.177:48216/bin.sh | online | malware_download | 2026-05-26 |
hxxp://115.56.42.47:33708/bin.sh | online | malware_download | 2026-05-26 |
hxxp://219.155.9.68:55778/bin.sh | online | malware_download | 2026-05-26 |
hxxp://110.85.99.109:38787/bin.sh | online | malware_download | 2026-05-26 |
hxxp://42.235.73.158:59547/bin.sh | online | malware_download | 2026-05-26 |
hxxp://188.113.25.107:47590/i | online | malware_download | 2026-05-26 |
hxxp://42.224.171.91:58164/bin.sh | online | malware_download | 2026-05-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["27.37.102.183", "110.85.99.109", "42.235.73.158", "182.116.54.100", "218.28.230.7", "201.110.53.143", "115.56.42.47", "219.155.9.68", "219.155.237.134", "115.49.66.242", "221.202.19.236", "175.173.85.107", "124.163.53.51", "42.228.232.101", "42.224.171.91", "188.113.25.107", "112.248.187.78", "110.36.80.171", "27.37.119.96", "175.165.109.28", "123.9.195.177"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["27.37.102.183", "110.85.99.109", "42.235.73.158", "182.116.54.100", "218.28.230.7", "201.110.53.143", "115.56.42.47", "219.155.9.68", "219.155.237.134", "115.49.66.242", "221.202.19.236", "175.173.85.107", "124.163.53.51", "42.228.232.101", "42.224.171.91", "188.113.25.107", "112.248.187.78", "110.36.80.171", "27.37.119.96", "175.165.109.28", "123.9.195.177"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application using a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus.org domain or URLs containing the substring "test-url" in the URL path.
Scenario: A scheduled job runs to update a 32-bit legacy software package, which includes downloading a signed URL from a trusted repository.
Filter/Exclusion: Exclude URLs that are part of a known update process, such as those containing "update-server" or matching the software-update.example.com domain.
Scenario: A user is accessing a legitimate 32-bit web application hosted on an internal server, which is configured to use a URL that matches the 32-bit malicious URL pattern.
Filter/Exclusion: Exclude URLs originating from internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or URLs that match internal subdomains like app.internal.company.com.
Scenario: A security tool like OSSEC or Snort is configured to send alerts to a centralized log management system, and the alert message includes a URL that matches the 32-bit malicious URL pattern.
Filter/Exclusion: Exclude URLs that are part of the alert message payload or match the alert-source.example.com domain.
Scenario: A developer is using a CI/CD pipeline (e.g., Jenkins, GitLab CI) to deploy a 32-bit application, and the pipeline logs include a URL that matches the 32-bit malicious URL pattern.
Filter/Exclusion: Exclude URLs that contain the substring "ci.pipeline" or are part of the CI/CD