The detection identifies potential 32-bit malware distribution through malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could evade traditional detection methods.
IOC Summary
Threat: 32-bit Total URLs: 46 Active URLs: 46
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://123.13.146.43:34329/bin.sh | online | malware_download | 2026-05-09 |
hxxp://123.14.86.67:55736/i | online | malware_download | 2026-05-09 |
hxxp://123.14.86.67:55736/bin.sh | online | malware_download | 2026-05-09 |
hxxp://123.8.82.84:51766/i | online | malware_download | 2026-05-09 |
hxxp://124.94.203.77:33749/i | online | malware_download | 2026-05-09 |
hxxp://222.134.163.51:59072/i | online | malware_download | 2026-05-09 |
hxxp://117.81.106.151:34198/bin.sh | online | malware_download | 2026-05-09 |
hxxp://116.209.178.80:57219/i | online | malware_download | 2026-05-09 |
hxxp://125.41.215.248:36212/i | online | malware_download | 2026-05-09 |
hxxp://162.255.251.91:39081/i | online | malware_download | 2026-05-09 |
hxxp://123.5.186.81:56974/i | online | malware_download | 2026-05-09 |
hxxp://222.134.163.51:59072/bin.sh | online | malware_download | 2026-05-09 |
hxxp://110.37.55.23:50001/i | online | malware_download | 2026-05-09 |
hxxp://110.37.55.23:50001/bin.sh | online | malware_download | 2026-05-09 |
hxxp://124.94.203.77:33749/bin.sh | online | malware_download | 2026-05-09 |
hxxp://162.255.251.91:39081/bin.sh | online | malware_download | 2026-05-09 |
hxxp://123.5.186.81:56974/bin.sh | online | malware_download | 2026-05-09 |
hxxp://110.85.98.200:38787/i | online | malware_download | 2026-05-09 |
hxxp://125.41.215.248:36212/bin.sh | online | malware_download | 2026-05-09 |
hxxp://124.94.155.201:36974/i | online | malware_download | 2026-05-09 |
hxxp://39.74.85.73:33051/bin.sh | online | malware_download | 2026-05-09 |
hxxp://61.53.119.205:48330/i | online | malware_download | 2026-05-09 |
hxxp://110.37.115.90:55749/i | online | malware_download | 2026-05-09 |
hxxp://61.53.119.205:48330/bin.sh | online | malware_download | 2026-05-09 |
hxxp://110.37.115.90:55749/bin.sh | online | malware_download | 2026-05-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["61.53.119.205", "110.37.115.90", "105.184.50.146", "42.225.71.115", "117.81.106.151", "115.61.112.143", "39.74.85.73", "124.94.155.201", "110.85.98.200", "123.13.146.43", "115.55.146.52", "123.14.86.67", "162.255.251.91", "125.41.215.248", "124.94.203.77", "110.37.55.23", "123.5.186.81", "116.209.178.80", "123.8.82.84", "222.134.163.51"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["61.53.119.205", "110.37.115.90", "105.184.50.146", "42.225.71.115", "117.81.106.151", "115.61.112.143", "39.74.85.73", "124.94.155.201", "110.85.98.200", "123.13.146.43", "115.55.146.52", "123.14.86.67", "162.255.251.91", "125.41.215.248", "124.94.203.77", "110.37.55.23", "123.5.186.81", "116.209.178.80", "123.8.82.84", "222.134.163.51"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system update job downloads a 32-bit driver from a trusted vendor’s CDN
Filter/Exclusion: process.parent_process == "C:\Windows\System32\wuauclt.exe" or process.command_line contains "WindowsUpdate"
Scenario: Admin manually downloads a 32-bit diagnostic tool from a known enterprise support site
Filter/Exclusion: process.command_line contains "support.example.com" or process.user == "Domain\Administrator"
Scenario: A 32-bit legacy application is being updated via a scheduled task that pulls a signed installer from an internal repository
Filter/Exclusion: process.image == "C:\Windows\System32\msiexec.exe" or process.command_line contains "internal-repo.example.com"
Scenario: A user runs a 32-bit version of a legitimate software tool (e.g., 32-bit version of Wireshark) for network analysis
Filter/Exclusion: process.image contains "wireshark.exe" or process.user contains "User_Network_Team"
Scenario: A 32-bit PowerShell script is executed as part of a regular system maintenance task (e.g., log cleanup)
Filter/Exclusion: process.parent_process == "C:\Windows\System32\svchost.exe" or process.command_line contains "Cleanup-Logs.ps1"