The detection identifies potential 32-bit malware distribution through malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that leverage outdated 32-bit infrastructure to evade modern defenses.
IOC Summary
Threat: 32-bit Total URLs: 55 Active URLs: 55
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://123.148.241.62:43983/i | online | malware_download | 2026-05-13 |
hxxp://119.117.246.97:58297/bin.sh | online | malware_download | 2026-05-13 |
hxxp://123.130.79.249:55536/bin.sh | online | malware_download | 2026-05-13 |
hxxp://182.114.50.25:54239/i | online | malware_download | 2026-05-13 |
hxxp://218.28.63.30:55787/i | online | malware_download | 2026-05-13 |
hxxp://219.155.208.66:33484/i | online | malware_download | 2026-05-13 |
hxxp://110.36.16.115:40117/i | online | malware_download | 2026-05-13 |
hxxp://123.148.241.62:43983/bin.sh | online | malware_download | 2026-05-13 |
hxxp://182.114.50.25:54239/bin.sh | online | malware_download | 2026-05-13 |
hxxp://219.155.208.66:33484/bin.sh | online | malware_download | 2026-05-13 |
hxxp://222.136.21.83:43205/i | online | malware_download | 2026-05-13 |
hxxp://216.129.184.213:51759/i | online | malware_download | 2026-05-13 |
hxxp://183.151.218.216:57890/i | online | malware_download | 2026-05-13 |
hxxp://27.37.112.190:41763/i | online | malware_download | 2026-05-13 |
hxxp://112.237.127.77:47159/i | online | malware_download | 2026-05-13 |
hxxp://216.129.184.213:51759/bin.sh | online | malware_download | 2026-05-13 |
hxxp://112.237.127.77:47159/bin.sh | online | malware_download | 2026-05-13 |
hxxp://27.37.112.190:41763/bin.sh | online | malware_download | 2026-05-13 |
hxxp://123.190.104.203:34400/i | online | malware_download | 2026-05-13 |
hxxp://219.156.101.252:43908/i | online | malware_download | 2026-05-13 |
hxxp://123.190.104.203:34400/bin.sh | online | malware_download | 2026-05-13 |
hxxp://219.156.101.252:43908/bin.sh | online | malware_download | 2026-05-13 |
hxxp://42.52.194.3:40757/i | online | malware_download | 2026-05-13 |
hxxp://182.127.69.38:33136/bin.sh | online | malware_download | 2026-05-13 |
hxxp://42.230.40.82:37881/i | online | malware_download | 2026-05-13 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["42.52.194.3", "218.28.63.30", "183.151.218.216", "112.237.127.77", "27.37.112.190", "42.227.177.133", "110.36.16.115", "219.156.101.252", "119.117.246.97", "216.129.184.213", "123.130.79.249", "123.190.104.203", "42.230.40.82", "150.255.27.41", "182.127.69.38", "123.132.165.21", "222.136.21.83", "182.114.50.25", "115.55.49.158", "110.37.95.117", "219.155.208.66", "123.148.241.62"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.52.194.3", "218.28.63.30", "183.151.218.216", "112.237.127.77", "27.37.112.190", "42.227.177.133", "110.36.16.115", "219.156.101.252", "119.117.246.97", "216.129.184.213", "123.130.79.249", "123.190.104.203", "42.230.40.82", "150.255.27.41", "182.127.69.38", "123.132.165.21", "222.136.21.83", "182.114.50.25", "115.55.49.158", "110.37.95.117", "219.155.208.66", "123.148.241.62"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update that downloads a 32-bit installer from a known trusted repository (e.g., Microsoft Update or Adobe).
Filter/Exclusion: Exclude URLs matching *.update.microsoft.com or *.adobe.com using a regex pattern or URL filter.
Scenario: Admin Task for Legacy Software Deployment
Description: An administrator manually deploys a 32-bit legacy application using a script that downloads the installer from an internal or external repository (e.g., internal-repo.example.com).
Filter/Exclusion: Exclude URLs containing internal-repo.example.com or legacy-app-installer in the URL path.
Scenario: Automated Backup Job to Cloud Storage
Description: A backup job uploads data to a cloud storage service (e.g., AWS S3, Azure Blob Storage) using a 32-bit client tool.
Filter/Exclusion: Exclude URLs containing s3.amazonaws.com or blob.core.windows.net and filter by upload action (e.g., PUT method).
Scenario: User-Initiated Download of 32-bit Plugin
Description: A user downloads a 32-bit plugin for a legitimate application (e.g., Firefox plugin or a Visual Studio extension) from a trusted source.
Filter/Exclusion: Exclude URLs containing addons.mozilla.org or marketplace.visualstudio.com and filter by user-initiated traffic.
Scenario: Internal Development Server Hosting 32-bit Builds
Description: A development team uses an internal server to host 32-bit builds for testing, which may be accessed via a URL that matches the rule’s pattern.
Filter/Exclusion: Exclude URLs containing dev-server.internal or builds.internal and filter