The detection identifies potential 32-bit malware distribution through malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that leverage outdated 32-bit infrastructure to evade modern defenses.
IOC Summary
Threat: 32-bit Total URLs: 44 Active URLs: 39
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://201.149.107.50:51796/i | online | malware_download | 2026-04-20 |
hxxp://95.56.232.109:46503/i | online | malware_download | 2026-04-20 |
hxxp://110.39.229.188:56974/bin.sh | online | malware_download | 2026-04-20 |
hxxp://201.149.107.50:51796/bin.sh | online | malware_download | 2026-04-20 |
hxxp://110.39.225.163:52907/i | online | malware_download | 2026-04-20 |
hxxp://95.56.232.109:46503/bin.sh | online | malware_download | 2026-04-20 |
hxxp://61.53.193.170:38506/i | online | malware_download | 2026-04-20 |
hxxp://193.187.101.227:43875/i | online | malware_download | 2026-04-20 |
hxxp://27.215.210.81:52053/i | online | malware_download | 2026-04-20 |
hxxp://42.224.147.201:50227/i | online | malware_download | 2026-04-20 |
hxxp://42.228.222.186:41123/bin.sh | online | malware_download | 2026-04-20 |
hxxp://125.41.214.239:33998/i | online | malware_download | 2026-04-20 |
hxxp://193.187.101.227:43875/bin.sh | online | malware_download | 2026-04-20 |
hxxp://42.224.147.201:50227/bin.sh | online | malware_download | 2026-04-20 |
hxxp://125.41.214.239:33998/bin.sh | online | malware_download | 2026-04-20 |
hxxp://110.36.75.245:54175/i | online | malware_download | 2026-04-20 |
hxxp://110.39.246.84:45879/i | online | malware_download | 2026-04-20 |
hxxp://42.224.96.30:43574/i | online | malware_download | 2026-04-20 |
hxxp://39.68.43.217:34887/bin.sh | online | malware_download | 2026-04-20 |
hxxp://175.107.12.59:58200/i | online | malware_download | 2026-04-20 |
hxxp://110.36.29.195:56653/i | online | malware_download | 2026-04-20 |
hxxp://110.38.201.35:59591/i | online | malware_download | 2026-04-20 |
hxxp://59.96.139.46:35804/i | online | malware_download | 2026-04-20 |
hxxp://182.127.111.153:57891/i | online | malware_download | 2026-04-20 |
hxxp://110.36.29.195:56653/bin.sh | online | malware_download | 2026-04-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["180.243.65.33", "110.39.246.84", "59.96.139.46", "110.39.225.163", "193.187.101.227", "201.149.107.50", "27.215.210.81", "110.36.75.245", "110.38.201.35", "42.224.147.201", "110.36.29.195", "110.39.229.188", "61.53.193.170", "182.121.225.165", "175.107.12.59", "42.228.222.186", "182.127.127.117", "59.88.7.241", "39.68.43.217", "125.41.214.239", "95.56.232.109", "42.224.96.30", "182.127.111.153", "42.235.91.0"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["180.243.65.33", "110.39.246.84", "59.96.139.46", "110.39.225.163", "193.187.101.227", "201.149.107.50", "27.215.210.81", "110.36.75.245", "110.38.201.35", "42.224.147.201", "110.36.29.195", "110.39.229.188", "61.53.193.170", "182.121.225.165", "175.107.12.59", "42.228.222.186", "182.127.127.117", "59.88.7.241", "39.68.43.217", "125.41.214.239", "95.56.232.109", "42.224.96.30", "182.127.111.153", "42.235.91.0"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update via a local URL for compatibility checks.
Filter/Exclusion: Exclude URLs containing update/ or test/ in the path, or filter by user agent matching internal admin tools (e.g., Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko).
Scenario: A scheduled job runs a nightly backup script that uses a 32-bit utility to archive data, and the script accesses a known internal URL for storage.
Filter/Exclusion: Exclude URLs that match the internal backup server FQDN (e.g., backup.example.com) or filter by process name like backup_script.exe.
Scenario: An IT department uses a 32-bit endpoint detection and response (EDR) tool that communicates with a central management server via a known internal URL.
Filter/Exclusion: Exclude URLs that match the EDR management server (e.g., edr.example.com) or filter by process name like EDR_Manager.exe.
Scenario: A developer is using a 32-bit version of a CI/CD tool (e.g., Jenkins) to run a build job that accesses a private artifact repository URL.
Filter/Exclusion: Exclude URLs that match the private artifact repository (e.g., artifactory.example.com) or filter by process name like jenkins.exe.
Scenario: A system is running a 32-bit version of a log aggregation tool (e.g., Splunk) that sends logs to a central server using a known internal URL.
Filter/Exclusion: Exclude URLs that match the Splunk server FQDN (e.g., splunk.example.com) or filter by process name like `splunkd