The hypothesis is that the detected URLs are likely malicious 32-bit payloads used by adversaries to deliver malware, leveraging outdated systems to evade modern detection. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of legacy systems and prevent lateral movement.
IOC Summary
Threat: 32-bit Total URLs: 26 Active URLs: 26
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://60.22.192.81:59759/i | online | malware_download | 2026-05-10 |
hxxp://125.47.242.65:41368/bin.sh | online | malware_download | 2026-05-10 |
hxxp://175.148.200.81:48247/bin.sh | online | malware_download | 2026-05-10 |
hxxp://123.11.10.91:46420/bin.sh | online | malware_download | 2026-05-10 |
hxxp://123.189.143.232:46154/i | online | malware_download | 2026-05-10 |
hxxp://27.37.100.207:48312/i | online | malware_download | 2026-05-10 |
hxxp://220.184.42.21:58052/i | online | malware_download | 2026-05-10 |
hxxp://27.215.209.230:44451/i | online | malware_download | 2026-05-10 |
hxxp://221.214.161.178:41517/i | online | malware_download | 2026-05-10 |
hxxp://27.37.114.211:41074/i | online | malware_download | 2026-05-10 |
hxxp://27.215.209.230:44451/bin.sh | online | malware_download | 2026-05-10 |
hxxp://42.6.190.38:39558/i | online | malware_download | 2026-05-10 |
hxxp://42.239.230.227:34198/i | online | malware_download | 2026-05-10 |
hxxp://42.239.230.227:34198/bin.sh | online | malware_download | 2026-05-10 |
hxxp://42.6.190.38:39558/bin.sh | online | malware_download | 2026-05-10 |
hxxp://42.234.148.181:32981/i | online | malware_download | 2026-05-10 |
hxxp://42.234.148.181:32981/bin.sh | online | malware_download | 2026-05-10 |
hxxp://124.131.107.138:48513/i | online | malware_download | 2026-05-10 |
hxxp://58.208.249.184:39424/i | online | malware_download | 2026-05-10 |
hxxp://124.131.107.138:48513/bin.sh | online | malware_download | 2026-05-10 |
hxxp://36.33.110.30:46205/i | online | malware_download | 2026-05-10 |
hxxp://27.21.28.213:52069/i | online | malware_download | 2026-05-10 |
hxxp://27.21.28.213:52069/bin.sh | online | malware_download | 2026-05-10 |
hxxp://58.208.249.184:39424/bin.sh | online | malware_download | 2026-05-10 |
hxxp://124.133.140.46:33985/i | online | malware_download | 2026-05-10 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["42.239.230.227", "124.131.107.138", "27.37.100.207", "125.47.242.65", "58.208.249.184", "27.21.28.213", "124.133.140.46", "36.33.110.30", "123.11.10.91", "175.148.200.81", "27.215.209.230", "42.6.190.38", "221.214.161.178", "27.37.114.211", "220.184.42.21", "123.189.143.232", "42.234.148.181", "60.22.192.81"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.239.230.227", "124.131.107.138", "27.37.100.207", "125.47.242.65", "58.208.249.184", "27.21.28.213", "124.133.140.46", "36.33.110.30", "123.11.10.91", "175.148.200.81", "27.215.209.230", "42.6.190.38", "221.214.161.178", "27.37.114.211", "220.184.42.21", "123.189.143.232", "42.234.148.181", "60.22.192.81"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via Microsoft Update
Filter/Exclusion: Exclude URLs containing windowsupdate.microsoft.com or update.microsoft.com
Rationale: Microsoft’s update servers are known to use 32-bit URLs as part of their distribution process.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude URLs containing veeam.com or backup-vmware.com
Rationale: Veeam and similar tools often use 32-bit URLs for their backup and replication services.
Scenario: Admin task using PowerShell for log analysis
Filter/Exclusion: Exclude URLs containing powershell.org or technet.microsoft.com
Rationale: PowerShell scripts and Microsoft TechNet resources may include 32-bit URLs in their documentation or script repositories.
Scenario: Internal tool for user activity reporting using Splunk
Filter/Exclusion: Exclude URLs containing splunk.com or splunkbase.splunk.com
Rationale: Splunk and Splunkbase may have 32-bit URLs used for internal reporting or tooling.
Scenario: Employee access to internal documentation via Confluence
Filter/Exclusion: Exclude URLs containing confluence.atlassian.com or internal-docs.example.com
Rationale: Internal Confluence instances may use 32-bit URLs for accessing documentation or shared resources.