The hypothesis is that the detected URLs are likely used by adversaries to deliver 32-bit malware, which may bypass modern endpoint protections. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of 32-bit systems that may have been overlooked by traditional detection methods.
IOC Summary
Threat: 32-bit Total URLs: 18 Active URLs: 17
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://42.239.14.102:42616/i | online | malware_download | 2026-05-22 |
hxxp://182.121.215.209:49571/i | online | malware_download | 2026-05-22 |
hxxp://125.41.141.71:40774/i | online | malware_download | 2026-05-22 |
hxxp://103.171.168.74:36014/i | online | malware_download | 2026-05-22 |
hxxp://103.171.168.74:36014/bin.sh | online | malware_download | 2026-05-22 |
hxxp://113.230.80.56:45482/i | online | malware_download | 2026-05-22 |
hxxp://125.41.141.71:40774/bin.sh | online | malware_download | 2026-05-22 |
hxxp://182.127.35.64:49342/i | online | malware_download | 2026-05-22 |
hxxp://182.126.81.234:51687/bin.sh | online | malware_download | 2026-05-22 |
hxxp://182.127.35.64:49342/bin.sh | online | malware_download | 2026-05-22 |
hxxp://59.97.248.51:49747/bin.sh | online | malware_download | 2026-05-22 |
hxxp://110.39.249.140:53182/i | online | malware_download | 2026-05-22 |
hxxp://218.91.141.211:55109/bin.sh | online | malware_download | 2026-05-22 |
hxxp://39.74.106.57:48231/i | online | malware_download | 2026-05-22 |
hxxp://123.188.88.173:50099/bin.sh | online | malware_download | 2026-05-22 |
hxxp://182.112.231.171:53301/i | online | malware_download | 2026-05-22 |
hxxp://115.48.151.181:56013/i | online | malware_download | 2026-05-22 |
hxxp://115.48.151.181:56013/bin.sh | offline | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["123.188.88.173", "182.126.81.234", "115.48.151.181", "182.121.215.209", "125.41.141.71", "39.74.106.57", "182.127.35.64", "42.239.14.102", "59.97.248.51", "110.39.249.140", "182.112.231.171", "103.171.168.74", "218.91.141.211", "113.230.80.56"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["123.188.88.173", "182.126.81.234", "115.48.151.181", "182.121.215.209", "125.41.141.71", "39.74.106.57", "182.127.35.64", "42.239.14.102", "59.97.248.51", "110.39.249.140", "182.112.231.171", "103.171.168.74", "218.91.141.211", "113.230.80.56"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via Microsoft Update
Filter/Exclusion: process.parent_process != "svchost.exe" && process.parent_process != "msiexec.exe"
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: process.name != "veeam.exe" || process.parent_process != "taskeng.exe"
Scenario: Admin performing remote PowerShell script execution via Windows Remote Management (WinRM)
Filter/Exclusion: process.name != "powershell.exe" || process.parent_process != "winrm.exe"
Scenario: User accessing a known malicious URL for phishing testing via a security tool like Cymmetri
Filter/Exclusion: process.name != "cymmetri.exe" || url.domain != "phishing-test-domain.com"
Scenario: Internal tool for URL shortening (e.g., Bitly) used by developers
Filter/Exclusion: process.name != "bitly.exe" || url.domain != "bit.ly"