The detection identifies potential 32-bit malware distribution through malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that leverage outdated 32-bit infrastructure to evade modern defenses.
IOC Summary
Threat: 32-bit Total URLs: 27 Active URLs: 25
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://125.41.93.102:60630/i | online | malware_download | 2026-06-07 |
hxxp://182.121.12.47:56850/i | online | malware_download | 2026-06-07 |
hxxp://113.239.82.29:52089/i | online | malware_download | 2026-06-07 |
hxxp://115.56.113.6:50926/bin.sh | online | malware_download | 2026-06-07 |
hxxp://42.58.3.220:52533/bin.sh | online | malware_download | 2026-06-07 |
hxxp://183.214.149.164:56071/bin.sh | online | malware_download | 2026-06-07 |
hxxp://42.177.237.25:45204/bin.sh | online | malware_download | 2026-06-07 |
hxxp://115.63.54.169:58676/i | online | malware_download | 2026-06-07 |
hxxp://46.236.65.43:41844/i | online | malware_download | 2026-06-07 |
hxxp://115.59.32.113:34496/bin.sh | online | malware_download | 2026-06-07 |
hxxp://61.174.125.186:34548/i | online | malware_download | 2026-06-07 |
hxxp://42.230.39.197:51519/i | online | malware_download | 2026-06-07 |
hxxp://113.239.82.29:52089/bin.sh | online | malware_download | 2026-06-07 |
hxxp://42.232.227.235:58920/bin.sh | online | malware_download | 2026-06-07 |
hxxp://115.63.54.169:58676/bin.sh | online | malware_download | 2026-06-07 |
hxxp://182.127.54.130:57403/bin.sh | online | malware_download | 2026-06-07 |
hxxp://61.174.125.186:34548/bin.sh | online | malware_download | 2026-06-07 |
hxxp://219.157.215.135:39238/bin.sh | online | malware_download | 2026-06-07 |
hxxp://222.141.134.229:56850/i | online | malware_download | 2026-06-07 |
hxxp://46.236.65.43:41844/bin.sh | online | malware_download | 2026-06-07 |
hxxp://42.227.178.149:51055/bin.sh | online | malware_download | 2026-06-07 |
hxxp://119.179.10.230:40234/i | online | malware_download | 2026-06-07 |
hxxp://222.141.134.229:56850/bin.sh | online | malware_download | 2026-06-07 |
hxxp://117.26.110.10:38787/bin.sh | offline | malware_download | 2026-06-07 |
hxxp://42.230.39.197:51519/bin.sh | online | malware_download | 2026-06-07 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["115.56.113.6", "42.230.39.197", "42.177.237.25", "113.239.82.29", "115.59.32.113", "42.232.227.235", "115.48.144.222", "219.157.215.135", "119.179.10.230", "46.236.65.43", "182.121.12.47", "115.63.54.169", "182.127.54.130", "183.214.149.164", "42.227.178.149", "61.174.125.186", "42.58.3.220", "125.41.93.102", "222.141.134.229"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.56.113.6", "42.230.39.197", "42.177.237.25", "113.239.82.29", "115.59.32.113", "42.232.227.235", "115.48.144.222", "219.157.215.135", "119.179.10.230", "46.236.65.43", "182.121.12.47", "115.63.54.169", "182.127.54.130", "183.214.149.164", "42.227.178.149", "61.174.125.186", "42.58.3.220", "125.41.93.102", "222.141.134.229"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application using a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus tag and are associated with known safe testing environments or internal validation tools like systest.exe or appvalidator.exe.
Scenario: A scheduled job runs a 32-bit script for system diagnostics, which includes a legitimate URL to a public API endpoint for logging purposes.
Filter/Exclusion: Exclude URLs that are part of scheduled jobs or scripts using the task scheduler or cron and are known to be used by internal tools like sysdiag.exe or loggregator.exe.
Scenario: An IT support team uses a 32-bit remote desktop tool that connects to a legitimate internal URL for remote access.
Filter/Exclusion: Exclude URLs that are part of remote access tools like mstsc.exe or rdpclient.exe and are known to connect to internal infrastructure.
Scenario: A developer is using a 32-bit build tool that fetches dependencies from a public repository, which includes a URL flagged by URLhaus.
Filter/Exclusion: Exclude URLs that are part of dependency resolution for build tools like msbuild.exe or nant.exe and are associated with known safe repositories.
Scenario: A network administrator configures a 32-bit firewall rule that includes a URL for policy enforcement, which is mistakenly flagged by the detection rule.
Filter/Exclusion: Exclude URLs that are part of firewall configuration tools like firewallcfg.exe or netsh.exe and are used for policy enforcement.