The detection identifies potential 32-bit malware distribution through malicious URLs, which adversaries may use to deliver payloads in environments where 32-bit systems or applications are still in use. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts targeting legacy or mixed architecture environments.
IOC Summary
Threat: 32-bit Total URLs: 20 Active URLs: 20
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://123.5.125.175:48308/i | online | malware_download | 2026-06-22 |
hxxp://219.157.143.44:33777/i | online | malware_download | 2026-06-22 |
hxxp://196.189.3.1:54492/bin.sh | online | malware_download | 2026-06-22 |
hxxp://202.107.5.69:38499/i | online | malware_download | 2026-06-22 |
hxxp://115.48.151.124:47369/bin.sh | online | malware_download | 2026-06-22 |
hxxp://61.53.80.233:54338/i | online | malware_download | 2026-06-22 |
hxxp://61.53.80.233:54338/bin.sh | online | malware_download | 2026-06-22 |
hxxp://123.5.125.175:48308/bin.sh | online | malware_download | 2026-06-22 |
hxxp://42.177.28.175:47234/i | online | malware_download | 2026-06-22 |
hxxp://202.107.5.69:38499/bin.sh | online | malware_download | 2026-06-22 |
hxxp://219.157.143.44:33777/bin.sh | online | malware_download | 2026-06-22 |
hxxp://42.224.74.89:52676/i | online | malware_download | 2026-06-22 |
hxxp://118.232.137.101:51907/i | online | malware_download | 2026-06-22 |
hxxp://112.242.55.227:43000/i | online | malware_download | 2026-06-22 |
hxxp://125.160.141.80:52651/bin.sh | online | malware_download | 2026-06-22 |
hxxp://182.127.36.64:43772/i | online | malware_download | 2026-06-22 |
hxxp://115.55.54.56:49032/i | online | malware_download | 2026-06-22 |
hxxp://119.179.215.65:48587/i | online | malware_download | 2026-06-22 |
hxxp://119.179.215.65:48587/bin.sh | online | malware_download | 2026-06-22 |
hxxp://182.117.55.224:41017/i | online | malware_download | 2026-06-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["219.157.143.44", "112.242.55.227", "123.5.125.175", "42.224.74.89", "182.127.36.64", "115.55.54.56", "119.179.215.65", "182.117.55.224", "115.48.151.124", "196.189.3.1", "118.232.137.101", "125.160.141.80", "42.177.28.175", "202.107.5.69", "61.53.80.233"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["219.157.143.44", "112.242.55.227", "123.5.125.175", "42.224.74.89", "182.127.36.64", "115.55.54.56", "119.179.215.65", "182.117.55.224", "115.48.151.124", "196.189.3.1", "118.232.137.101", "125.160.141.80", "42.177.28.175", "202.107.5.69", "61.53.80.233"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update via a local file share.
Filter/Exclusion: Exclude URLs that match internal file share paths (e.g., \\fileserver\updates\*) or domains within the organization’s internal network.
Scenario: A scheduled job is downloading a 32-bit Windows patch from Microsoft’s official update server.
Filter/Exclusion: Exclude URLs containing windowsupdate.microsoft.com or download.microsoft.com as they are legitimate sources for OS updates.
Scenario: An IT team is performing a security audit and is using a tool like Nessus to scan for vulnerabilities, which includes downloading test payloads from a known internal test server.
Filter/Exclusion: Exclude URLs originating from internal test servers (e.g., testserver.internal.com) or those associated with vulnerability scanning tools like Nessus.
Scenario: A developer is using PowerShell to automate a build process that temporarily downloads a 32-bit dependency from a public repository like NuGet.
Filter/Exclusion: Exclude URLs matching nuget.org or any known package manager repositories, especially when the request is initiated by PowerShell scripts.
Scenario: A system is running a Windows Task Scheduler job that fetches a 32-bit log file from a central logging server for analysis.
Filter/Exclusion: Exclude URLs that match internal logging servers (e.g., logserver.corp.example.com) or those associated with scheduled tasks using Task Scheduler.