The hypothesis is that the detected URLs are likely used by adversaries to deliver 32-bit malware, which may bypass modern endpoint protections. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware distribution channels before they cause widespread damage.
IOC Summary
Threat: 32-bit Total URLs: 39 Active URLs: 36
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://175.174.123.246:45680/bin.sh | online | malware_download | 2026-06-08 |
hxxp://27.206.225.139:38203/i | online | malware_download | 2026-06-08 |
hxxp://182.112.0.223:48251/i | online | malware_download | 2026-06-08 |
hxxp://108.168.0.60:51495/i | online | malware_download | 2026-06-08 |
hxxp://27.206.225.139:38203/bin.sh | offline | malware_download | 2026-06-08 |
hxxp://115.63.39.65:34775/i | online | malware_download | 2026-06-08 |
hxxp://108.168.0.60:51495/bin.sh | online | malware_download | 2026-06-08 |
hxxp://110.37.14.156:41157/i | online | malware_download | 2026-06-08 |
hxxp://123.12.194.145:42924/i | online | malware_download | 2026-06-08 |
hxxp://119.179.248.221:33001/i | online | malware_download | 2026-06-08 |
hxxp://182.112.0.223:48251/bin.sh | online | malware_download | 2026-06-08 |
hxxp://115.63.39.65:34775/bin.sh | online | malware_download | 2026-06-08 |
hxxp://110.39.247.209:50912/i | online | malware_download | 2026-06-08 |
hxxp://110.39.247.209:50912/bin.sh | online | malware_download | 2026-06-08 |
hxxp://219.156.114.173:54627/i | online | malware_download | 2026-06-08 |
hxxp://119.179.248.221:33001/bin.sh | online | malware_download | 2026-06-08 |
hxxp://39.79.236.129:58909/i | online | malware_download | 2026-06-08 |
hxxp://115.51.101.109:42924/i | online | malware_download | 2026-06-08 |
hxxp://61.137.177.17:53633/i | online | malware_download | 2026-06-08 |
hxxp://119.179.19.254:43790/i | online | malware_download | 2026-06-08 |
hxxp://118.232.137.101:34841/i | online | malware_download | 2026-06-08 |
hxxp://175.173.34.170:53374/i | offline | malware_download | 2026-06-08 |
hxxp://118.232.137.101:34841/bin.sh | online | malware_download | 2026-06-08 |
hxxp://79.106.225.176:58892/bin.sh | online | malware_download | 2026-06-08 |
hxxp://42.231.90.162:60105/bin.sh | online | malware_download | 2026-06-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["123.11.13.26", "110.39.226.242", "79.106.225.176", "115.55.189.89", "110.37.14.156", "110.39.247.209", "27.206.225.139", "115.202.186.122", "119.179.248.221", "175.174.123.246", "42.231.90.162", "119.179.19.254", "182.112.0.223", "115.63.39.65", "118.232.137.101", "108.168.0.60", "123.12.194.145", "219.156.114.173", "115.51.101.109", "61.137.177.17", "39.79.236.129", "175.173.34.170"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["123.11.13.26", "110.39.226.242", "79.106.225.176", "115.55.189.89", "110.37.14.156", "110.39.247.209", "27.206.225.139", "115.202.186.122", "119.179.248.221", "175.174.123.246", "42.231.90.162", "119.179.19.254", "182.112.0.223", "115.63.39.65", "118.232.137.101", "108.168.0.60", "123.12.194.145", "219.156.114.173", "115.51.101.109", "61.137.177.17", "39.79.236.129", "175.173.34.170"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate software update from a trusted vendor (e.g., Microsoft Windows Update) that includes 32-bit components.
Filter/Exclusion: Exclude URLs containing windowsupdate.microsoft.com or update.microsoft.com in the domain field.
Scenario: Scheduled system maintenance task (e.g., Task Scheduler job) that downloads 32-bit diagnostic tools (e.g., Sysinternals tools) from a company-internal repository.
Filter/Exclusion: Exclude URLs containing internal-repo.company.com or sysinternals.com in the domain field.
Scenario: Admin performing a system cleanup using a 32-bit tool (e.g., CCleaner) from a known enterprise software repository.
Filter/Exclusion: Exclude URLs containing ccleaner.com or enterprise-software-repo.company.com in the domain field.
Scenario: User accessing a 32-bit application support page (e.g., Adobe Flash Player support) from a company-internal portal.
Filter/Exclusion: Exclude URLs containing support.adobe.com or internal-support.company.com in the domain field.
Scenario: Automated backup process (e.g., Veeam Backup & Replication) that temporarily uses a 32-bit agent for compatibility with older systems.
Filter/Exclusion: Exclude URLs containing veeam.com or backup-agent.company.com in the domain field.