The hypothesis is that the detected URLs are likely used by adversaries to deliver 32-bit malware, which may bypass modern endpoint protections. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware distribution channels before they cause widespread compromise.
IOC Summary
Threat: 32-bit Total URLs: 54 Active URLs: 53
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.36.119.151:60178/i | online | malware_download | 2026-06-06 |
hxxp://110.36.93.217:47482/bin.sh | online | malware_download | 2026-06-06 |
hxxp://119.179.252.125:51541/bin.sh | online | malware_download | 2026-06-06 |
hxxp://42.239.189.216:51329/bin.sh | online | malware_download | 2026-06-06 |
hxxp://61.163.150.85:41118/i | online | malware_download | 2026-06-06 |
hxxp://179.49.213.85:37649/i | online | malware_download | 2026-06-06 |
hxxp://42.232.233.216:51884/i | online | malware_download | 2026-06-06 |
hxxp://110.38.211.139:40092/i | online | malware_download | 2026-06-06 |
hxxp://182.119.250.171:57707/i | online | malware_download | 2026-06-06 |
hxxp://182.119.250.171:57707/bin.sh | online | malware_download | 2026-06-06 |
hxxp://110.36.27.209:50507/bin.sh | online | malware_download | 2026-06-06 |
hxxp://219.155.200.114:37484/i | online | malware_download | 2026-06-06 |
hxxp://182.112.103.57:39853/i | online | malware_download | 2026-06-06 |
hxxp://179.49.213.85:37649/bin.sh | online | malware_download | 2026-06-06 |
hxxp://123.7.155.123:39097/i | online | malware_download | 2026-06-06 |
hxxp://112.248.103.222:60360/i | online | malware_download | 2026-06-06 |
hxxp://219.155.200.114:37484/bin.sh | online | malware_download | 2026-06-06 |
hxxp://115.49.126.117:48263/i | online | malware_download | 2026-06-06 |
hxxp://182.112.103.57:39853/bin.sh | online | malware_download | 2026-06-06 |
hxxp://163.142.95.249:36350/i | online | malware_download | 2026-06-06 |
hxxp://112.248.103.222:60360/bin.sh | online | malware_download | 2026-06-06 |
hxxp://110.136.102.112:40309/i | online | malware_download | 2026-06-06 |
hxxp://115.218.59.71:7461/i | online | malware_download | 2026-06-06 |
hxxp://110.136.102.112:40309/bin.sh | online | malware_download | 2026-06-06 |
hxxp://115.218.59.71:7461/bin.sh | online | malware_download | 2026-06-06 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["42.239.189.216", "182.112.103.57", "110.36.93.217", "110.38.211.139", "219.155.200.114", "110.36.27.209", "123.7.155.123", "179.49.213.85", "219.157.242.213", "112.248.103.222", "119.179.252.125", "115.218.59.71", "61.163.150.85", "115.49.126.117", "42.52.201.30", "182.119.250.171", "110.136.102.112", "42.232.233.216", "119.167.25.141", "110.37.44.158", "163.142.95.249", "110.36.119.151"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.239.189.216", "182.112.103.57", "110.36.93.217", "110.38.211.139", "219.155.200.114", "110.36.27.209", "123.7.155.123", "179.49.213.85", "219.157.242.213", "112.248.103.222", "119.179.252.125", "115.218.59.71", "61.163.150.85", "115.49.126.117", "42.52.201.30", "182.119.250.171", "110.136.102.112", "42.232.233.216", "119.167.25.141", "110.37.44.158", "163.142.95.249", "110.36.119.151"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update via a local URL.
Filter/Exclusion: Exclude URLs containing internal, localhost, or 127.0.0.1 in the domain or path.
Scenario: A scheduled job runs a 32-bit legacy tool for system diagnostics, and the job logs a URL to a local file server.
Filter/Exclusion: Exclude URLs that match internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or internal FQDNs (e.g., fileserver.internal.corp).
Scenario: A user downloads a 32-bit version of a legitimate software tool (e.g., 7-Zip) from a known internal repository.
Filter/Exclusion: Exclude URLs that match internal repositories (e.g., repo.internal.corp/7zip) or known safe download sources.
Scenario: A DevOps pipeline deploys a 32-bit Docker image using a registry URL that matches the malicious URL pattern.
Filter/Exclusion: Exclude URLs containing docker-registry.internal or registry.corp in the domain.
Scenario: A security tool like OSSEC or Tripwire generates a log entry with a 32-bit URL during a system scan, which is falsely flagged.
Filter/Exclusion: Exclude URLs that match known security tool log patterns or contain scan, audit, or check in the path.