The detection identifies potential 32-bit malware distribution through known malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that leverage outdated 32-bit infrastructure to evade modern defenses.
IOC Summary
Threat: 32-bit Total URLs: 26 Active URLs: 26
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://123.132.146.90:53177/i | online | malware_download | 2026-04-18 |
hxxp://42.229.216.18:52636/i | online | malware_download | 2026-04-18 |
hxxp://42.229.216.18:52636/bin.sh | online | malware_download | 2026-04-18 |
hxxp://61.53.80.189:43465/i | online | malware_download | 2026-04-18 |
hxxp://125.40.9.222:57297/i | online | malware_download | 2026-04-18 |
hxxp://182.119.253.241:49522/i | online | malware_download | 2026-04-18 |
hxxp://182.119.253.241:49522/bin.sh | online | malware_download | 2026-04-18 |
hxxp://27.207.161.220:54617/i | online | malware_download | 2026-04-18 |
hxxp://125.46.221.62:40576/i | online | malware_download | 2026-04-18 |
hxxp://27.207.161.220:54617/bin.sh | online | malware_download | 2026-04-18 |
hxxp://123.8.42.99:41179/i | online | malware_download | 2026-04-18 |
hxxp://39.89.164.173:37039/bin.sh | online | malware_download | 2026-04-18 |
hxxp://61.53.149.92:54741/i | online | malware_download | 2026-04-18 |
hxxp://110.37.53.236:32928/i | online | malware_download | 2026-04-18 |
hxxp://182.116.91.238:47673/i | online | malware_download | 2026-04-18 |
hxxp://36.71.31.7:48002/bin.sh | online | malware_download | 2026-04-18 |
hxxp://182.116.91.238:47673/bin.sh | online | malware_download | 2026-04-18 |
hxxp://60.18.51.153:37929/i | online | malware_download | 2026-04-18 |
hxxp://123.8.42.99:41179/bin.sh | online | malware_download | 2026-04-18 |
hxxp://110.37.53.236:32928/bin.sh | online | malware_download | 2026-04-18 |
hxxp://39.67.103.35:46835/i | online | malware_download | 2026-04-18 |
hxxp://188.129.211.113:35924/i | online | malware_download | 2026-04-18 |
hxxp://42.224.97.209:59894/i | online | malware_download | 2026-04-18 |
hxxp://222.142.195.25:46636/bin.sh | online | malware_download | 2026-04-18 |
hxxp://39.67.103.35:46835/bin.sh | online | malware_download | 2026-04-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["42.224.97.209", "110.37.53.236", "125.46.221.62", "182.119.253.241", "39.67.103.35", "108.170.136.155", "61.53.149.92", "60.18.51.153", "27.207.161.220", "36.71.31.7", "125.40.9.222", "123.132.146.90", "123.8.42.99", "61.53.80.189", "222.142.195.25", "182.116.91.238", "188.129.211.113", "39.89.164.173", "42.229.216.18"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.224.97.209", "110.37.53.236", "125.46.221.62", "182.119.253.241", "39.67.103.35", "108.170.136.155", "61.53.149.92", "60.18.51.153", "27.207.161.220", "36.71.31.7", "125.40.9.222", "123.132.146.90", "123.8.42.99", "61.53.80.189", "222.142.195.25", "182.116.91.238", "188.129.211.113", "39.89.164.173", "42.229.216.18"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system update via Windows Update
Filter/Exclusion: Exclude URLs matching https://download.microsoft.com or https://windowsupdate.microsoft.com
Rationale: Legitimate system updates often use these domains and may trigger the rule due to the presence of 32-bit URLs in the update package.
Scenario: Admin performing a 32-bit application deployment using SCCM
Filter/Exclusion: Exclude URLs containing sccm or ConfigurationManager in the URL path
Rationale: System Center Configuration Manager (SCCM) may deploy 32-bit applications, and the URLs used for distribution could be flagged as malicious.
Scenario: User downloading a 32-bit version of a legitimate tool (e.g., Python, Git, or Visual Studio)
Filter/Exclusion: Exclude URLs containing python.org, git-scm.com, or visualstudio.com
Rationale: These tools often have 32-bit download links that may be incorrectly flagged by the rule.
Scenario: Internal tooling or script using a 32-bit binary for compatibility
Filter/Exclusion: Exclude URLs containing internal, dev, or local in the domain or path
Rationale: Internal tools or scripts may use 32-bit binaries, and the URLs used for internal distribution could be flagged as malicious.
Scenario: Automated backup job using a 32-bit agent or tool
Filter/Exclusion: Exclude URLs containing backup, restore, or agent in the URL path
Rationale: Backup tools or agents may use 32-bit components, and their associated URLs could trigger the rule.