The hypothesis is that the detected URLs are likely used by adversaries to deliver 32-bit malware, which may bypass modern endpoint protections. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they cause widespread damage.
IOC Summary
Threat: 32-bit Total URLs: 41 Active URLs: 37
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.63.242.171:46443/bin.sh | online | malware_download | 2026-05-25 |
hxxp://94.230.141.123:34737/bin.sh | online | malware_download | 2026-05-25 |
hxxp://123.14.38.146:35853/bin.sh | online | malware_download | 2026-05-25 |
hxxp://182.123.208.147:56638/i | online | malware_download | 2026-05-25 |
hxxp://182.123.208.147:56638/bin.sh | online | malware_download | 2026-05-25 |
hxxp://110.39.235.153:52229/i | online | malware_download | 2026-05-25 |
hxxp://113.237.160.222:42856/i | online | malware_download | 2026-05-25 |
hxxp://113.237.160.222:42856/bin.sh | online | malware_download | 2026-05-25 |
hxxp://115.55.54.143:58359/i | online | malware_download | 2026-05-25 |
hxxp://196.188.141.17:60465/i | online | malware_download | 2026-05-25 |
hxxp://110.37.119.220:54339/i | online | malware_download | 2026-05-25 |
hxxp://110.37.111.110:48765/i | online | malware_download | 2026-05-25 |
hxxp://125.47.218.246:57889/i | online | malware_download | 2026-05-25 |
hxxp://110.36.26.164:57011/i | online | malware_download | 2026-05-25 |
hxxp://125.47.218.246:57889/bin.sh | online | malware_download | 2026-05-25 |
hxxp://222.142.205.182:39015/i | online | malware_download | 2026-05-25 |
hxxp://125.47.59.147:51115/bin.sh | online | malware_download | 2026-05-25 |
hxxp://115.55.54.143:58359/bin.sh | online | malware_download | 2026-05-25 |
hxxp://42.57.247.137:40539/i | online | malware_download | 2026-05-25 |
hxxp://42.235.87.54:34098/i | online | malware_download | 2026-05-25 |
hxxp://123.4.235.127:48449/bin.sh | online | malware_download | 2026-05-25 |
hxxp://110.36.26.164:57011/bin.sh | online | malware_download | 2026-05-25 |
hxxp://110.37.111.110:48765/bin.sh | online | malware_download | 2026-05-25 |
hxxp://123.7.226.233:45454/i | online | malware_download | 2026-05-25 |
hxxp://182.117.71.114:38400/bin.sh | online | malware_download | 2026-05-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["115.55.54.143", "115.55.240.120", "182.123.208.147", "123.4.235.127", "115.55.63.180", "115.63.242.171", "182.117.71.114", "110.36.26.164", "222.142.205.182", "110.39.235.153", "42.235.87.54", "94.230.141.123", "125.47.59.147", "125.47.218.246", "123.14.38.146", "113.237.160.222", "42.57.247.137", "110.37.119.220", "196.188.141.17", "123.7.226.233", "110.37.111.110"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.55.54.143", "115.55.240.120", "182.123.208.147", "123.4.235.127", "115.55.63.180", "115.63.242.171", "182.117.71.114", "110.36.26.164", "222.142.205.182", "110.39.235.153", "42.235.87.54", "94.230.141.123", "125.47.59.147", "125.47.218.246", "123.14.38.146", "113.237.160.222", "42.57.247.137", "110.37.119.220", "196.188.141.17", "123.7.226.233", "110.37.111.110"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system update via Windows Server Update Services (WSUS)
Filter/Exclusion: Exclude URLs containing wsus or update.microsoft.com in the URL field.
Scenario: Internal tool for downloading 32-bit software from a company-licensed repository (e.g., internal-software-repo)
Filter/Exclusion: Exclude URLs containing internal-software-repo or company-licensed in the URL field.
Scenario: Automated backup job using Veeam or Acronis that connects to a secure internal URL
Filter/Exclusion: Exclude URLs containing veeam, acronis, or backup in the URL field.
Scenario: Admin task to download 32-bit drivers from a trusted internal server (e.g., drivers.corp.example.com)
Filter/Exclusion: Exclude URLs containing drivers.corp.example.com or trusted-internal-server in the URL field.
Scenario: Regularly scheduled log collection from a 32-bit application using a secure internal endpoint (e.g., log-collector.corp.example.com)
Filter/Exclusion: Exclude URLs containing log-collector.corp.example.com or log-collection in the URL field.