The hypothesis is that the detected URLs are likely used by adversaries to deliver 32-bit malware, which may bypass modern endpoint protections. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware distribution channels before they cause widespread compromise.
IOC Summary
Threat: 32-bit Total URLs: 44 Active URLs: 40
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://42.227.196.141:57661/i | online | malware_download | 2026-05-31 |
hxxp://115.51.45.253:33189/bin.sh | online | malware_download | 2026-05-31 |
hxxp://58.255.43.138:59600/i | online | malware_download | 2026-05-31 |
hxxp://222.137.212.116:48943/bin.sh | online | malware_download | 2026-05-31 |
hxxp://42.55.59.47:35540/i | online | malware_download | 2026-05-31 |
hxxp://222.136.158.157:47896/bin.sh | online | malware_download | 2026-05-31 |
hxxp://42.227.196.141:57661/bin.sh | online | malware_download | 2026-05-31 |
hxxp://39.76.107.166:55801/i | online | malware_download | 2026-05-31 |
hxxp://222.139.115.64:51399/i | online | malware_download | 2026-05-31 |
hxxp://125.41.2.112:60732/i | online | malware_download | 2026-05-31 |
hxxp://222.139.115.64:51399/bin.sh | online | malware_download | 2026-05-31 |
hxxp://110.36.80.162:58585/i | online | malware_download | 2026-05-31 |
hxxp://125.41.2.112:60732/bin.sh | online | malware_download | 2026-05-31 |
hxxp://39.76.107.166:55801/bin.sh | online | malware_download | 2026-05-31 |
hxxp://125.126.245.214:34176/i | online | malware_download | 2026-05-31 |
hxxp://182.121.156.228:36211/i | online | malware_download | 2026-05-31 |
hxxp://58.255.43.138:59600/bin.sh | online | malware_download | 2026-05-31 |
hxxp://110.36.80.162:58585/bin.sh | online | malware_download | 2026-05-31 |
hxxp://83.219.1.198:41147/i | online | malware_download | 2026-05-31 |
hxxp://42.235.168.210:39471/i | online | malware_download | 2026-05-31 |
hxxp://182.116.118.232:53235/bin.sh | online | malware_download | 2026-05-31 |
hxxp://182.121.156.228:36211/bin.sh | online | malware_download | 2026-05-31 |
hxxp://123.9.70.99:54170/i | online | malware_download | 2026-05-31 |
hxxp://83.219.1.198:41147/bin.sh | online | malware_download | 2026-05-31 |
hxxp://115.49.106.40:58202/i | online | malware_download | 2026-05-31 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["182.121.156.228", "115.51.45.253", "42.235.168.210", "115.49.106.40", "110.37.74.205", "42.55.59.47", "125.126.245.214", "39.76.107.166", "182.116.118.232", "123.9.70.99", "83.219.1.198", "125.41.2.112", "27.37.103.123", "222.139.115.64", "175.149.77.65", "110.36.80.162", "42.227.196.141", "115.48.162.65", "58.255.43.138", "222.136.158.157", "222.137.212.116"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["182.121.156.228", "115.51.45.253", "42.235.168.210", "115.49.106.40", "110.37.74.205", "42.55.59.47", "125.126.245.214", "39.76.107.166", "182.116.118.232", "123.9.70.99", "83.219.1.198", "125.41.2.112", "27.37.103.123", "222.139.115.64", "175.149.77.65", "110.36.80.162", "42.227.196.141", "115.48.162.65", "58.255.43.138", "222.136.158.157", "222.137.212.116"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update using a known safe URL from URLhaus.
Filter/Exclusion: Exclude URLs that match the urlhaus tag and are associated with known safe 32-bit software updates.
Scenario: A scheduled job runs a PowerShell script to download and install a 32-bit version of a legitimate enterprise tool (e.g., Microsoft SCCM or Adobe Acrobat Reader).
Filter/Exclusion: Exclude URLs that are part of the enterprise software update pipeline and are whitelisted in the SIEM or EDR system.
Scenario: A user is accessing a 32-bit version of a web-based application (e.g., legacy Java applet) through a company-approved portal.
Filter/Exclusion: Exclude URLs that are part of the company’s internal application hosting and are whitelisted in the URL filtering policy.
Scenario: A security analyst is performing a red team exercise and uses a 32-bit malicious URL from URLhaus to simulate an attack.
Filter/Exclusion: Exclude URLs that are part of the red team’s authorized test environment and are tagged with a specific test identifier (e.g., redteam_test).
Scenario: A system is running a 32-bit version of a legitimate tool (e.g., 32-bit version of Wireshark or VeraCrypt) and the tool is accessing a URL for configuration or update purposes.
Filter/Exclusion: Exclude URLs that are associated with known legitimate 32-bit tools and are part of their official update or configuration endpoints.