The detection identifies potential 32-bit malware distribution through malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that leverage outdated 32-bit infrastructure to evade modern defenses.
IOC Summary
Threat: 32-bit Total URLs: 46 Active URLs: 44
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://123.129.154.143:51205/bin.sh | online | malware_download | 2026-05-20 |
hxxp://123.5.112.62:48740/bin.sh | online | malware_download | 2026-05-20 |
hxxp://42.179.5.146:35166/i | online | malware_download | 2026-05-20 |
hxxp://115.57.230.211:58582/bin.sh | online | malware_download | 2026-05-20 |
hxxp://42.179.5.146:35166/bin.sh | online | malware_download | 2026-05-20 |
hxxp://110.36.80.171:37809/i | online | malware_download | 2026-05-20 |
hxxp://42.239.235.52:57281/i | online | malware_download | 2026-05-20 |
hxxp://41.251.99.198:45420/bin.sh | online | malware_download | 2026-05-20 |
hxxp://41.251.99.198:45420/i | online | malware_download | 2026-05-20 |
hxxp://125.72.161.95:40323/i | online | malware_download | 2026-05-20 |
hxxp://110.36.80.163:55385/i | online | malware_download | 2026-05-20 |
hxxp://27.220.241.80:48601/i | online | malware_download | 2026-05-20 |
hxxp://110.36.80.163:55385/bin.sh | online | malware_download | 2026-05-20 |
hxxp://110.36.30.198:33358/i | online | malware_download | 2026-05-20 |
hxxp://185.50.148.169:57543/bin.sh | online | malware_download | 2026-05-20 |
hxxp://110.36.28.45:56014/i | online | malware_download | 2026-05-20 |
hxxp://114.218.58.178:47914/i | online | malware_download | 2026-05-20 |
hxxp://110.36.28.45:56014/bin.sh | online | malware_download | 2026-05-20 |
hxxp://114.218.58.178:47914/bin.sh | online | malware_download | 2026-05-20 |
hxxp://112.248.82.64:47814/i | online | malware_download | 2026-05-20 |
hxxp://175.166.21.145:59038/i | online | malware_download | 2026-05-20 |
hxxp://110.36.0.157:57130/i | online | malware_download | 2026-05-20 |
hxxp://110.36.0.157:57130/bin.sh | online | malware_download | 2026-05-20 |
hxxp://112.248.82.64:47814/bin.sh | online | malware_download | 2026-05-20 |
hxxp://175.166.21.145:59038/bin.sh | online | malware_download | 2026-05-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["123.5.112.62", "115.57.230.211", "175.166.21.145", "42.239.235.52", "110.36.30.198", "114.218.58.178", "112.248.82.64", "125.72.161.95", "185.50.148.169", "175.167.231.222", "110.36.0.157", "182.116.112.123", "110.36.80.171", "110.36.80.163", "72.255.30.244", "123.129.154.143", "60.16.159.58", "41.251.99.198", "27.220.241.80", "110.36.28.45", "42.179.5.146", "125.47.242.69"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["123.5.112.62", "115.57.230.211", "175.166.21.145", "42.239.235.52", "110.36.30.198", "114.218.58.178", "112.248.82.64", "125.72.161.95", "185.50.148.169", "175.167.231.222", "110.36.0.157", "182.116.112.123", "110.36.80.171", "110.36.80.163", "72.255.30.244", "123.129.154.143", "60.16.159.58", "41.251.99.198", "27.220.241.80", "110.36.28.45", "42.179.5.146", "125.47.242.69"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update via a local file share.
Filter/Exclusion: Exclude URLs that match internal file share paths (e.g., \\fileserver\updates\*) or use a custom field like src_ip to exclude internal IP ranges.
Scenario: A scheduled job runs a 32-bit legacy tool for compliance reporting, and the job generates a temporary URL for internal data transfer.
Filter/Exclusion: Exclude URLs containing specific internal domain names (e.g., internal.reporting.example.com) or use a process_name filter to exclude known compliance tools like LegacyComplianceTool.exe.
Scenario: A developer is using a 32-bit version of a CI/CD tool (e.g., Jenkins) to build a project, and the build process includes a temporary URL for artifact storage.
Filter/Exclusion: Exclude URLs that contain ci-artifacts.example.com or use a process_name filter to exclude jenkins.exe or similar CI/CD tool executables.
Scenario: A user is accessing a 32-bit version of a legitimate enterprise application (e.g., Adobe Acrobat Reader) via a web portal, and the portal redirects to a temporary URL for authentication.
Filter/Exclusion: Exclude URLs that match known enterprise web portals (e.g., portal.example.com) or use a user_agent filter to exclude known browser traffic from internal users.
Scenario: A system is running a 32-bit version of a security tool (e.g., Bitdefender) that generates a temporary URL for internal threat intelligence sharing.
Filter/Exclusion: Exclude URLs that match internal threat intelligence endpoints (e.g., ti.example.com) or use a process_name filter to exclude bitdefender.exe or similar security tool executables