The detection identifies potential 32-bit malware distribution through malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that leverage outdated 32-bit exploits to evade modern defenses.
IOC Summary
Threat: 32-bit Total URLs: 47 Active URLs: 47
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://114.227.183.124:56316/bin.sh | online | malware_download | 2026-04-25 |
hxxp://175.43.154.49:51489/bin.sh | online | malware_download | 2026-04-25 |
hxxp://219.157.63.81:45807/i | online | malware_download | 2026-04-25 |
hxxp://115.49.4.7:43447/i | online | malware_download | 2026-04-25 |
hxxp://123.5.115.191:52881/bin.sh | online | malware_download | 2026-04-25 |
hxxp://42.227.55.10:48752/bin.sh | online | malware_download | 2026-04-25 |
hxxp://42.85.187.102:55571/i | online | malware_download | 2026-04-25 |
hxxp://61.52.46.144:60399/i | online | malware_download | 2026-04-25 |
hxxp://121.21.104.230:48945/bin.sh | online | malware_download | 2026-04-25 |
hxxp://120.28.200.193:39279/bin.sh | online | malware_download | 2026-04-25 |
hxxp://182.121.12.231:54760/i | online | malware_download | 2026-04-25 |
hxxp://42.227.35.6:56743/i | online | malware_download | 2026-04-25 |
hxxp://61.52.46.144:60399/bin.sh | online | malware_download | 2026-04-25 |
hxxp://115.49.4.7:43447/bin.sh | online | malware_download | 2026-04-25 |
hxxp://219.157.63.81:45807/bin.sh | online | malware_download | 2026-04-25 |
hxxp://42.227.35.6:56743/bin.sh | online | malware_download | 2026-04-25 |
hxxp://42.6.80.228:58866/bin.sh | online | malware_download | 2026-04-25 |
hxxp://125.44.25.197:47652/i | online | malware_download | 2026-04-25 |
hxxp://42.56.147.59:56819/i | online | malware_download | 2026-04-25 |
hxxp://61.52.105.63:46173/bin.sh | online | malware_download | 2026-04-25 |
hxxp://125.41.171.186:55820/i | online | malware_download | 2026-04-25 |
hxxp://110.36.65.9:41070/i | online | malware_download | 2026-04-25 |
hxxp://123.11.68.158:60898/i | online | malware_download | 2026-04-25 |
hxxp://140.237.36.79:60398/bin.sh | online | malware_download | 2026-04-25 |
hxxp://125.44.25.197:47652/bin.sh | online | malware_download | 2026-04-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["123.11.68.158", "125.41.171.186", "110.36.65.9", "42.227.55.10", "42.228.102.64", "120.28.200.193", "42.6.80.228", "121.21.104.230", "42.85.187.102", "182.121.12.231", "140.237.36.79", "114.227.183.124", "125.44.25.197", "180.245.43.20", "115.49.4.7", "61.52.105.63", "123.5.115.191", "219.157.63.81", "27.207.189.110", "175.43.154.49", "61.52.46.144", "42.227.35.6", "42.56.147.59", "115.51.254.196"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["123.11.68.158", "125.41.171.186", "110.36.65.9", "42.227.55.10", "42.228.102.64", "120.28.200.193", "42.6.80.228", "121.21.104.230", "42.85.187.102", "182.121.12.231", "140.237.36.79", "114.227.183.124", "125.44.25.197", "180.245.43.20", "115.49.4.7", "61.52.105.63", "123.5.115.191", "219.157.63.81", "27.207.189.110", "175.43.154.49", "61.52.46.144", "42.227.35.6", "42.56.147.59", "115.51.254.196"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update via a local HTTP server for compatibility checks.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or match internal testing domains (e.g., internal.test.example.com).
Scenario: A scheduled job runs a script to download and install a 32-bit legacy software package from a known internal repository.
Filter/Exclusion: Exclude URLs that match internal repository paths (e.g., https://repo.example.com/legacy-software/) or have a file extension indicating a 32-bit executable (e.g., .exe, .dll).
Scenario: A user is accessing a legitimate 32-bit web application hosted on a public cloud platform (e.g., AWS EC2, Azure VM) for business operations.
Filter/Exclusion: Exclude URLs that match known public cloud infrastructure domains (e.g., *.ec2.amazonaws.com, *.azurewebsites.net) or have a domain registered by the organization.
Scenario: A security tool (e.g., CrowdStrike, SentinelOne) is performing a scheduled scan and generates a 32-bit executable for analysis in a sandbox environment.
Filter/Exclusion: Exclude URLs that include sandbox-specific subdomains (e.g., sandbox.example.com) or match known sandboxing tool domains.
Scenario: An IT team is deploying a 32-bit version of a legitimate enterprise tool (e.g., Microsoft Office 2010, Adobe Reader) via a company-wide deployment script.
Filter/Exclusion: Exclude URLs that match the company’s internal software distribution server (