The detection identifies potential 32-bit malware delivery vectors through known malicious URLs sourced from URLhaus, indicating an adversary may be attempting to exploit legacy systems with targeted payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that leverage outdated infrastructure for persistence and lateral movement.
IOC Summary
Threat: 32-bit Total URLs: 37 Active URLs: 36
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://112.248.185.5:54937/bin.sh | online | malware_download | 2026-05-17 |
hxxp://105.224.14.116:47387/i | online | malware_download | 2026-05-17 |
hxxp://42.178.147.141:47076/i | online | malware_download | 2026-05-17 |
hxxp://42.231.216.178:39385/i | online | malware_download | 2026-05-17 |
hxxp://115.56.167.217:41296/bin.sh | online | malware_download | 2026-05-17 |
hxxp://105.224.14.116:47387/bin.sh | online | malware_download | 2026-05-17 |
hxxp://42.178.147.141:47076/bin.sh | online | malware_download | 2026-05-17 |
hxxp://42.231.216.178:39385/bin.sh | online | malware_download | 2026-05-17 |
hxxp://42.176.102.222:58850/i | online | malware_download | 2026-05-17 |
hxxp://113.229.142.233:54612/bin.sh | online | malware_download | 2026-05-17 |
hxxp://113.229.142.233:54612/i | online | malware_download | 2026-05-17 |
hxxp://110.37.38.176:54003/i | online | malware_download | 2026-05-17 |
hxxp://110.37.38.176:54003/bin.sh | online | malware_download | 2026-05-17 |
hxxp://27.37.115.147:41074/i | online | malware_download | 2026-05-17 |
hxxp://42.230.18.216:46136/i | online | malware_download | 2026-05-17 |
hxxp://37.76.136.59:48652/bin.sh | online | malware_download | 2026-05-17 |
hxxp://112.242.20.212:58582/i | online | malware_download | 2026-05-17 |
hxxp://119.116.38.143:58680/i | online | malware_download | 2026-05-17 |
hxxp://182.117.5.34:54460/i | online | malware_download | 2026-05-17 |
hxxp://42.176.102.222:58850/bin.sh | online | malware_download | 2026-05-17 |
hxxp://42.230.18.216:46136/bin.sh | online | malware_download | 2026-05-17 |
hxxp://112.242.20.212:58582/bin.sh | online | malware_download | 2026-05-17 |
hxxp://222.141.137.115:40822/i | online | malware_download | 2026-05-17 |
hxxp://119.116.38.143:58680/bin.sh | offline | malware_download | 2026-05-17 |
hxxp://110.39.249.174:58801/i | online | malware_download | 2026-05-17 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["110.37.38.176", "42.230.18.216", "119.116.38.143", "42.231.216.178", "37.76.136.59", "110.39.249.174", "113.229.142.233", "182.117.5.34", "60.18.96.116", "115.56.167.217", "112.248.185.5", "222.141.137.115", "27.37.115.147", "105.224.14.116", "42.178.147.141", "42.176.102.222", "112.242.20.212", "110.37.56.122", "112.93.203.181"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.37.38.176", "42.230.18.216", "119.116.38.143", "42.231.216.178", "37.76.136.59", "110.39.249.174", "113.229.142.233", "182.117.5.34", "60.18.96.116", "115.56.167.217", "112.248.185.5", "222.141.137.115", "27.37.115.147", "105.224.14.116", "42.178.147.141", "42.176.102.222", "112.242.20.212", "110.37.56.122", "112.93.203.181"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patch deployment using a 32-bit URL
Filter/Exclusion: Exclude URLs containing known update servers (e.g., windowsupdate.microsoft.com, download.microsoft.com) or use a filter based on the url field matching known enterprise update domains.
Scenario: Scheduled backup job using a 32-bit executable or script from an internal repository
Filter/Exclusion: Exclude URLs that match internal artifact repositories (e.g., artifactory.internal.company.com, nexus.internal.company.com) or include a job_name field matching known backup job names.
Scenario: Admin task to download a 32-bit tool for compatibility with legacy systems
Filter/Exclusion: Exclude URLs that include the word legacy or compatibility in the URL path, or use a user_agent filter to identify administrative tools (e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36).
Scenario: Internal development team using a 32-bit build server to deploy code
Filter/Exclusion: Exclude URLs that match internal build servers (e.g., buildserver.internal.company.com) or include a build_id or branch parameter in the URL.
Scenario: User accessing a 32-bit version of a legitimate application from a company-approved portal
Filter/Exclusion: Exclude URLs that match internal software distribution portals (e.g., softwareportal.company.com) or include a product_name field matching known company-approved applications.