The detection identifies potential 32-bit malware distribution through malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that leverage outdated 32-bit infrastructure to evade modern defenses.
IOC Summary
Threat: 32-bit Total URLs: 28 Active URLs: 23
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://219.155.71.128:60438/bin.sh | online | malware_download | 2026-06-20 |
hxxp://42.58.252.169:58524/i | online | malware_download | 2026-06-20 |
hxxp://110.37.9.151:44344/i | online | malware_download | 2026-06-20 |
hxxp://222.138.225.235:51309/bin.sh | online | malware_download | 2026-06-20 |
hxxp://115.50.223.146:37335/i | online | malware_download | 2026-06-20 |
hxxp://182.119.69.213:53242/i | online | malware_download | 2026-06-20 |
hxxp://42.58.252.169:58524/bin.sh | online | malware_download | 2026-06-20 |
hxxp://115.56.148.132:47775/bin.sh | online | malware_download | 2026-06-20 |
hxxp://125.44.215.212:58927/i | online | malware_download | 2026-06-20 |
hxxp://125.47.244.222:51744/i | online | malware_download | 2026-06-20 |
hxxp://182.119.69.213:53242/bin.sh | online | malware_download | 2026-06-20 |
hxxp://45.185.93.188:36326/i | online | malware_download | 2026-06-20 |
hxxp://182.117.123.187:42644/bin.sh | online | malware_download | 2026-06-20 |
hxxp://125.47.244.222:51744/bin.sh | online | malware_download | 2026-06-20 |
hxxp://42.57.234.150:56771/i | online | malware_download | 2026-06-20 |
hxxp://95.10.144.38:35077/i | online | malware_download | 2026-06-20 |
hxxp://95.10.144.38:35077/bin.sh | online | malware_download | 2026-06-20 |
hxxp://115.57.255.30:39793/i | online | malware_download | 2026-06-20 |
hxxp://125.40.39.250:36541/i | online | malware_download | 2026-06-20 |
hxxp://218.16.164.245:53377/i | offline | malware_download | 2026-06-20 |
hxxp://45.185.93.188:36326/bin.sh | offline | malware_download | 2026-06-20 |
hxxp://182.116.52.111:46999/i | online | malware_download | 2026-06-20 |
hxxp://125.40.39.250:36541/bin.sh | offline | malware_download | 2026-06-20 |
hxxp://219.154.77.68:46079/i | offline | malware_download | 2026-06-20 |
hxxp://182.116.52.111:46999/bin.sh | online | malware_download | 2026-06-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["125.40.39.250", "222.138.225.235", "182.119.69.213", "182.124.209.46", "95.10.144.38", "115.56.148.132", "115.50.223.146", "125.47.244.222", "45.185.93.188", "182.117.123.187", "42.58.252.169", "219.155.71.128", "115.57.255.30", "221.13.148.102", "182.116.52.111", "125.44.215.212", "42.57.234.150", "110.37.9.151"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["125.40.39.250", "222.138.225.235", "182.119.69.213", "182.124.209.46", "95.10.144.38", "115.56.148.132", "115.50.223.146", "125.47.244.222", "45.185.93.188", "182.117.123.187", "42.58.252.169", "219.155.71.128", "115.57.255.30", "221.13.148.102", "182.116.52.111", "125.44.215.212", "42.57.234.150", "110.37.9.151"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patch deployment via a 32-bit tool
Filter/Exclusion: Exclude URLs containing update, patch, or installer and associated with known enterprise patch management tools like Microsoft System Center Configuration Manager (SCCM) or WSUS.
Scenario: Scheduled backup job using a 32-bit backup tool
Filter/Exclusion: Exclude URLs containing backup, restore, or snapshot and associated with backup solutions like Veeam Backup & Replication or Acronis True Image.
Scenario: Admin task involving 32-bit command-line tools for system diagnostics
Filter/Exclusion: Exclude URLs containing diag, log, or monitor and associated with tools like Windows Event Viewer, Sysmon, or Process Monitor (ProcMon).
Scenario: Internal URL shortener or redirect service used for internal documentation
Filter/Exclusion: Exclude URLs containing short, redirect, or doc and associated with internal URL shortening tools like Bitly (if used internally) or Google’s shortener.
Scenario: 32-bit application used for legacy software support or compatibility testing
Filter/Exclusion: Exclude URLs containing legacy, compat, or test and associated with tools like VirtualBox, Docker (32-bit containers), or Windows XP Mode.