The detection identifies potential 32-bit malware distribution through malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could evade traditional detection methods.
IOC Summary
Threat: 32-bit Total URLs: 10 Active URLs: 10
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://182.114.32.14:42248/i | online | malware_download | 2026-06-15 |
hxxp://182.114.32.14:42248/bin.sh | online | malware_download | 2026-06-15 |
hxxp://42.233.188.3:41338/i | online | malware_download | 2026-06-15 |
hxxp://123.14.220.217:50611/i | online | malware_download | 2026-06-15 |
hxxp://42.231.251.153:36633/i | online | malware_download | 2026-06-15 |
hxxp://27.215.54.70:44046/i | online | malware_download | 2026-06-15 |
hxxp://123.14.220.217:50611/bin.sh | online | malware_download | 2026-06-15 |
hxxp://110.37.39.146:52797/i | online | malware_download | 2026-06-15 |
hxxp://60.23.236.87:49422/i | online | malware_download | 2026-06-15 |
hxxp://42.85.24.247:60468/i | online | malware_download | 2026-06-15 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["27.215.54.70", "42.231.251.153", "182.114.32.14", "42.85.24.247", "42.233.188.3", "123.14.220.217", "60.23.236.87", "110.37.39.146"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["27.215.54.70", "42.231.251.153", "182.114.32.14", "42.85.24.247", "42.233.188.3", "123.14.220.217", "60.23.236.87", "110.37.39.146"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update from a known internal repository.
Filter/Exclusion: Exclude URLs that match internal repository domains (e.g., internal-repo.example.com) or URLs containing specific internal paths (e.g., /updates/32bit/).
Scenario: A scheduled job runs to download 32-bit drivers or software patches from a trusted vendor.
Filter/Exclusion: Exclude URLs that match known vendor domains (e.g., drivers.vendor.com) or URLs containing specific patch version strings (e.g., patch_v2.1.3_32bit).
Scenario: A developer is using a 32-bit version of a CI/CD tool (e.g., Jenkins) to build a legacy application.
Filter/Exclusion: Exclude URLs that match CI/CD tool domains (e.g., jenkins.example.org) or URLs containing specific build job names (e.g., build-legacy-app-32bit).
Scenario: An IT helpdesk technician is accessing a 32-bit support tool hosted on an internal portal.
Filter/Exclusion: Exclude URLs that match internal portal domains (e.g., support.example.com) or URLs containing specific support tool names (e.g., support-tool-32bit.exe).
Scenario: A backup process is transferring 32-bit system files from a server to a backup storage location.
Filter/Exclusion: Exclude URLs that match backup server domains (e.g., backup.example.net) or URLs containing specific backup job names (e.g., backup-32bit-system-files).