The detection identifies potential 32-bit malware distribution via malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that leverage outdated 32-bit exploits to evade modern defenses.
IOC Summary
Threat: 32-bit Total URLs: 59 Active URLs: 56
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://60.182.239.45:57513/bin.sh | online | malware_download | 2026-06-14 |
hxxp://182.116.121.48:54331/i | online | malware_download | 2026-06-14 |
hxxp://115.63.80.68:60739/i | online | malware_download | 2026-06-14 |
hxxp://115.54.182.197:34217/bin.sh | online | malware_download | 2026-06-14 |
hxxp://115.57.193.57:39677/i | online | malware_download | 2026-06-14 |
hxxp://125.44.18.189:54124/i | online | malware_download | 2026-06-14 |
hxxp://37.140.35.136:28236/i | online | malware_download | 2026-06-14 |
hxxp://92.63.185.32:55314/i | online | malware_download | 2026-06-14 |
hxxp://115.63.80.68:60739/bin.sh | online | malware_download | 2026-06-14 |
hxxp://125.44.18.189:54124/bin.sh | online | malware_download | 2026-06-14 |
hxxp://219.155.201.171:42151/bin.sh | online | malware_download | 2026-06-14 |
hxxp://222.137.85.31:60382/i | online | malware_download | 2026-06-14 |
hxxp://219.156.98.59:52257/i | online | malware_download | 2026-06-14 |
hxxp://115.57.193.57:39677/bin.sh | online | malware_download | 2026-06-14 |
hxxp://222.137.85.31:60382/bin.sh | online | malware_download | 2026-06-14 |
hxxp://115.50.91.161:48011/bin.sh | online | malware_download | 2026-06-14 |
hxxp://175.167.254.184:35093/i | online | malware_download | 2026-06-14 |
hxxp://115.48.237.18:36275/i | online | malware_download | 2026-06-14 |
hxxp://125.44.19.144:36745/i | online | malware_download | 2026-06-14 |
hxxp://175.167.254.184:35093/bin.sh | online | malware_download | 2026-06-14 |
hxxp://164.163.25.157:46533/i | online | malware_download | 2026-06-14 |
hxxp://61.179.88.62:46569/i | online | malware_download | 2026-06-14 |
hxxp://125.44.19.144:36745/bin.sh | online | malware_download | 2026-06-14 |
hxxp://175.146.231.239:42122/i | online | malware_download | 2026-06-14 |
hxxp://110.36.2.23:53930/i | online | malware_download | 2026-06-14 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["60.182.239.45", "112.247.87.138", "219.156.98.59", "219.155.201.171", "115.57.193.57", "115.54.182.197", "175.146.231.239", "61.179.88.62", "92.63.185.32", "182.116.121.48", "222.137.38.204", "125.44.18.189", "164.163.25.157", "125.44.19.144", "222.137.85.31", "110.36.2.23", "175.167.254.184", "37.140.35.136", "115.63.80.68", "115.50.91.161", "115.48.237.18"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["60.182.239.45", "112.247.87.138", "219.156.98.59", "219.155.201.171", "115.57.193.57", "115.54.182.197", "175.146.231.239", "61.179.88.62", "92.63.185.32", "182.116.121.48", "222.137.38.204", "125.44.18.189", "164.163.25.157", "125.44.19.144", "222.137.85.31", "110.36.2.23", "175.167.254.184", "37.140.35.136", "115.63.80.68", "115.50.91.161", "115.48.237.18"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patch deployment using a 32-bit URL
Filter/Exclusion: Exclude URLs containing update.microsoft.com or windowsupdate.microsoft.com
Rationale: These URLs are commonly used for official Windows updates and are not malicious.
Scenario: Scheduled backup job using a 32-bit utility or script
Filter/Exclusion: Exclude URLs containing backup or backup.exe in the query string
Rationale: Backup processes often use 32-bit tools, and the URLs may match the malicious pattern.
Scenario: Admin task involving 32-bit software installation or configuration
Filter/Exclusion: Exclude URLs containing setup.exe, install.exe, or config.exe
Rationale: Software installation processes often use these file names, which may trigger the rule falsely.
Scenario: Internal tool or service using a 32-bit API endpoint
Filter/Exclusion: Exclude URLs originating from internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
Rationale: Internal services may use 32-bit endpoints that are not malicious.
Scenario: User downloading a 32-bit plugin or add-on from a trusted source
Filter/Exclusion: Exclude URLs containing trusted-source.com or plugin in the path
Rationale: Users may download 32-bit plugins from known, legitimate sources, which could be flagged incorrectly.