The hypothesis is that the detected URLs are likely used by adversaries to deliver 32-bit malware, leveraging outdated systems to evade modern detection mechanisms. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of legacy systems and prevent lateral movement within the network.
IOC Summary
Threat: 32-bit Total URLs: 57 Active URLs: 50
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://61.54.42.70:49048/bin.sh | online | malware_download | 2026-06-13 |
hxxp://116.138.191.237:33083/i | online | malware_download | 2026-06-13 |
hxxp://119.118.246.131:46434/bin.sh | online | malware_download | 2026-06-13 |
hxxp://110.37.87.181:55947/i | online | malware_download | 2026-06-13 |
hxxp://219.155.205.104:38699/bin.sh | online | malware_download | 2026-06-13 |
hxxp://110.37.87.181:55947/bin.sh | online | malware_download | 2026-06-13 |
hxxp://42.229.186.82:44836/i | online | malware_download | 2026-06-13 |
hxxp://42.227.7.82:37228/i | online | malware_download | 2026-06-13 |
hxxp://42.231.189.154:49728/i | online | malware_download | 2026-06-13 |
hxxp://27.215.122.160:53473/i | online | malware_download | 2026-06-13 |
hxxp://115.62.146.104:34153/i | online | malware_download | 2026-06-13 |
hxxp://27.215.122.160:53473/bin.sh | online | malware_download | 2026-06-13 |
hxxp://42.55.7.171:57515/i | online | malware_download | 2026-06-13 |
hxxp://115.57.31.87:36630/i | online | malware_download | 2026-06-13 |
hxxp://182.127.109.51:42203/i | online | malware_download | 2026-06-13 |
hxxp://115.57.31.87:36630/bin.sh | online | malware_download | 2026-06-13 |
hxxp://39.89.93.195:50307/i | online | malware_download | 2026-06-13 |
hxxp://60.16.171.122:51179/i | online | malware_download | 2026-06-13 |
hxxp://46.146.176.251:57435/i | online | malware_download | 2026-06-13 |
hxxp://42.231.189.154:49728/bin.sh | online | malware_download | 2026-06-13 |
hxxp://221.202.145.139:51882/i | online | malware_download | 2026-06-13 |
hxxp://182.126.89.18:37875/i | online | malware_download | 2026-06-13 |
hxxp://203.177.237.148:59794/i | online | malware_download | 2026-06-13 |
hxxp://213.67.45.148:51802/i | online | malware_download | 2026-06-13 |
hxxp://115.57.229.52:40129/i | online | malware_download | 2026-06-13 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["119.118.246.131", "182.124.123.201", "60.16.171.122", "115.56.157.252", "42.229.186.82", "42.55.7.171", "119.165.18.179", "213.67.45.148", "27.215.122.160", "115.62.146.104", "115.57.229.52", "115.57.31.87", "46.146.176.251", "182.127.109.51", "42.227.7.82", "219.155.205.104", "203.177.237.148", "42.231.189.154", "61.54.42.70", "39.89.93.195", "182.126.89.18", "221.202.145.139", "110.37.87.181", "116.138.191.237"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["119.118.246.131", "182.124.123.201", "60.16.171.122", "115.56.157.252", "42.229.186.82", "42.55.7.171", "119.165.18.179", "213.67.45.148", "27.215.122.160", "115.62.146.104", "115.57.229.52", "115.57.31.87", "46.146.176.251", "182.127.109.51", "42.227.7.82", "219.155.205.104", "203.177.237.148", "42.231.189.154", "61.54.42.70", "39.89.93.195", "182.126.89.18", "221.202.145.139", "110.37.87.181", "116.138.191.237"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update using a known safe URL from URLhaus.
Filter/Exclusion: Exclude URLs that match the urlhaus tag and are associated with known safe 32-bit software updates.
Scenario: A scheduled job runs a script to fetch and process 32-bit malware samples from a trusted internal repository.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or are tagged with internal or trusted.
Scenario: A user is accessing a legitimate 32-bit web service (e.g., a legacy CRM system) that is hosted on a public cloud provider.
Filter/Exclusion: Exclude URLs that match known internal services or are associated with cloud providers like AWS, Azure, or GCP.
Scenario: A security tool like OSSEC or Tripwire is performing a system integrity check and generates a report that includes a 32-bit URL as part of its audit logs.
Filter/Exclusion: Exclude URLs that are part of system logs or are tagged with audit or integrity_check.
Scenario: A developer is using Git or CI/CD pipelines (e.g., Jenkins, GitHub Actions) to deploy a 32-bit application, and the deployment script includes a 32-bit URL for artifact download.
Filter/Exclusion: Exclude URLs that are associated with CI/CD tools or are tagged with ci_cd or deployment.