The hypothesis is that the detected URLs are likely malicious payloads associated with 32-bit malware, which could be used to deliver or execute malicious code on compromised systems. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential 32-bit malware infections before they cause widespread damage.
IOC Summary
Threat: 32-bit Total URLs: 52 Active URLs: 49
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://182.127.162.22:58455/i | online | malware_download | 2026-06-19 |
hxxp://125.42.119.58:46763/i | online | malware_download | 2026-06-19 |
hxxp://110.39.237.16:53928/i | online | malware_download | 2026-06-19 |
hxxp://45.172.218.181:42291/i | online | malware_download | 2026-06-19 |
hxxp://115.48.39.6:53482/bin.sh | online | malware_download | 2026-06-19 |
hxxp://45.172.218.181:42291/bin.sh | online | malware_download | 2026-06-19 |
hxxp://125.42.119.58:46763/bin.sh | online | malware_download | 2026-06-19 |
hxxp://219.156.124.107:60900/i | online | malware_download | 2026-06-19 |
hxxp://42.235.118.195:53352/bin.sh | online | malware_download | 2026-06-19 |
hxxp://175.146.155.175:48594/i | online | malware_download | 2026-06-19 |
hxxp://110.36.86.83:42772/i | online | malware_download | 2026-06-19 |
hxxp://113.231.218.245:39760/i | online | malware_download | 2026-06-19 |
hxxp://110.37.40.215:37232/bin.sh | online | malware_download | 2026-06-19 |
hxxp://222.140.131.3:45936/i | online | malware_download | 2026-06-19 |
hxxp://115.55.166.37:44761/i | online | malware_download | 2026-06-19 |
hxxp://110.36.16.115:56728/i | online | malware_download | 2026-06-19 |
hxxp://123.132.166.34:45754/i | online | malware_download | 2026-06-19 |
hxxp://110.36.86.83:42772/bin.sh | online | malware_download | 2026-06-19 |
hxxp://42.231.181.254:58829/bin.sh | online | malware_download | 2026-06-19 |
hxxp://115.55.166.37:44761/bin.sh | online | malware_download | 2026-06-19 |
hxxp://123.132.166.34:45754/bin.sh | online | malware_download | 2026-06-19 |
hxxp://110.36.16.115:56728/bin.sh | online | malware_download | 2026-06-19 |
hxxp://14.44.18.204:48970/i | online | malware_download | 2026-06-19 |
hxxp://175.146.84.105:41750/i | online | malware_download | 2026-06-19 |
hxxp://120.57.125.178:52268/i | online | malware_download | 2026-06-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["113.231.218.245", "42.235.118.195", "110.36.86.83", "14.44.18.204", "110.39.237.16", "110.39.237.185", "120.57.125.178", "115.48.39.6", "112.248.162.72", "42.231.181.254", "175.146.84.105", "115.53.8.59", "175.146.155.175", "222.140.131.3", "110.37.40.215", "182.127.162.22", "219.156.124.107", "45.172.218.181", "110.36.16.115", "123.132.166.34", "125.42.119.58", "115.55.166.37"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["113.231.218.245", "42.235.118.195", "110.36.86.83", "14.44.18.204", "110.39.237.16", "110.39.237.185", "120.57.125.178", "115.48.39.6", "112.248.162.72", "42.231.181.254", "175.146.84.105", "115.53.8.59", "175.146.155.175", "222.140.131.3", "110.37.40.215", "182.127.162.22", "219.156.124.107", "45.172.218.181", "110.36.16.115", "123.132.166.34", "125.42.119.58", "115.55.166.37"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update using a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus tag and are associated with known safe or testing environments.
Scenario: A scheduled job runs a 32-bit compatibility check for legacy software, which includes downloading a test file from a legitimate internal server.
Filter/Exclusion: Exclude URLs originating from internal IP ranges or domains listed in the enterprise’s internal DNS records.
Scenario: A developer is using a 32-bit build tool (e.g., Visual Studio 2019) that requires downloading dependencies from a trusted repository, which is flagged by the rule.
Filter/Exclusion: Exclude URLs that match the vs2019 or build-tools tags, or are sourced from enterprise-approved repositories.
Scenario: A security team is performing a red team exercise and uses a 32-bit payload from URLhaus as part of a controlled simulation.
Filter/Exclusion: Exclude URLs that are part of a known red team exercise or tagged with red-team or simulated.
Scenario: A system is running a 32-bit version of a legitimate enterprise tool (e.g., 32-bit version of SQL Server) that requires accessing a public CDN for updates.
Filter/Exclusion: Exclude URLs that are associated with enterprise-approved software update mechanisms or tagged with software-update.