The detection identifies potential 32-bit malware distribution through malicious URLs linked to URLhaus, indicating an adversary may be leveraging outdated architecture to evade modern defenses. SOC teams should proactively hunt for these URLs in Azure Sentinel to disrupt malware deployment and prevent lateral movement in compromised environments.
IOC Summary
Threat: 32-bit Total URLs: 62 Active URLs: 61
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://180.245.6.227:53685/bin.sh | online | malware_download | 2026-06-12 |
hxxp://219.155.205.104:38699/i | online | malware_download | 2026-06-12 |
hxxp://124.131.130.85:35766/bin.sh | online | malware_download | 2026-06-12 |
hxxp://182.112.42.182:60452/i | online | malware_download | 2026-06-12 |
hxxp://182.112.42.182:60452/bin.sh | online | malware_download | 2026-06-12 |
hxxp://110.37.31.174:35325/bin.sh | online | malware_download | 2026-06-12 |
hxxp://185.221.254.132:39515/i | online | malware_download | 2026-06-12 |
hxxp://80.67.33.209:36839/i | online | malware_download | 2026-06-12 |
hxxp://123.12.229.252:46891/i | online | malware_download | 2026-06-12 |
hxxp://115.56.155.235:44490/bin.sh | online | malware_download | 2026-06-12 |
hxxp://164.163.25.157:38262/i | online | malware_download | 2026-06-12 |
hxxp://182.113.200.72:48171/i | online | malware_download | 2026-06-12 |
hxxp://123.9.53.79:54054/i | online | malware_download | 2026-06-12 |
hxxp://123.9.53.79:54054/bin.sh | online | malware_download | 2026-06-12 |
hxxp://185.221.254.132:39515/bin.sh | online | malware_download | 2026-06-12 |
hxxp://182.113.200.72:48171/bin.sh | online | malware_download | 2026-06-12 |
hxxp://80.67.33.209:36839/bin.sh | online | malware_download | 2026-06-12 |
hxxp://42.179.114.108:51905/i | online | malware_download | 2026-06-12 |
hxxp://164.163.25.157:38262/bin.sh | online | malware_download | 2026-06-12 |
hxxp://123.12.229.252:46891/bin.sh | online | malware_download | 2026-06-12 |
hxxp://42.179.114.108:51905/bin.sh | online | malware_download | 2026-06-12 |
hxxp://42.57.233.228:56771/i | online | malware_download | 2026-06-12 |
hxxp://182.124.64.178:47618/i | online | malware_download | 2026-06-12 |
hxxp://123.10.230.96:41975/i | online | malware_download | 2026-06-12 |
hxxp://42.231.89.206:32933/i | online | malware_download | 2026-06-12 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["115.56.155.235", "123.9.53.79", "42.231.89.206", "182.112.42.182", "125.41.79.73", "110.37.31.174", "42.179.114.108", "42.239.246.79", "80.67.33.209", "180.245.6.227", "219.155.205.104", "123.12.229.252", "182.124.64.178", "123.10.230.96", "182.113.200.72", "124.131.130.85", "185.221.254.132", "115.50.27.110", "42.57.233.228", "164.163.25.157"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.56.155.235", "123.9.53.79", "42.231.89.206", "182.112.42.182", "125.41.79.73", "110.37.31.174", "42.179.114.108", "42.239.246.79", "80.67.33.209", "180.245.6.227", "219.155.205.104", "123.12.229.252", "182.124.64.178", "123.10.230.96", "182.113.200.72", "124.131.130.85", "185.221.254.132", "115.50.27.110", "42.57.233.228", "164.163.25.157"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update via a local URL.
Filter/Exclusion: Exclude URLs containing internal or localhost in the domain or path.
Scenario: A scheduled job runs a 32-bit compatibility check using a known internal testing URL.
Filter/Exclusion: Exclude URLs that match the internal testing domain (e.g., test.example.com) or contain compatibility-check.
Scenario: A developer is using a 32-bit tool like WinMerge or Visual Studio 2019 and accesses a legitimate update URL.
Filter/Exclusion: Exclude URLs that include the tool name or version (e.g., winmerge.org, visualstudio.com) and are known to be safe.
Scenario: A backup job uses a 32-bit script to access a remote storage URL for archival purposes.
Filter/Exclusion: Exclude URLs that match the backup server domain (e.g., backup.example.com) or contain backup in the path.
Scenario: An IT team is running a 32-bit Windows service that periodically connects to a monitoring URL for health checks.
Filter/Exclusion: Exclude URLs that are part of the internal monitoring system (e.g., monitoring.example.com) or contain health-check in the path.