The hypothesis is that the detected URLs are likely malicious payloads associated with 32-bit malware, which could be used to deliver or execute malicious code on compromised systems. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential 32-bit malware infections before they cause widespread damage.
IOC Summary
Threat: 32-bit Total URLs: 27 Active URLs: 27
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://125.44.54.67:41296/i | online | malware_download | 2026-05-18 |
hxxp://117.26.110.91:38787/bin.sh | online | malware_download | 2026-05-18 |
hxxp://182.121.42.112:54827/i | online | malware_download | 2026-05-18 |
hxxp://108.168.0.60:34679/i | online | malware_download | 2026-05-18 |
hxxp://182.117.79.107:50963/i | online | malware_download | 2026-05-18 |
hxxp://110.39.225.173:41376/bin.sh | online | malware_download | 2026-05-18 |
hxxp://108.168.0.60:34679/bin.sh | online | malware_download | 2026-05-18 |
hxxp://182.121.42.112:54827/bin.sh | online | malware_download | 2026-05-18 |
hxxp://27.37.101.250:45794/bin.sh | online | malware_download | 2026-05-18 |
hxxp://110.39.246.147:49417/i | online | malware_download | 2026-05-18 |
hxxp://123.5.149.180:60869/bin.sh | online | malware_download | 2026-05-18 |
hxxp://182.113.205.82:34374/i | online | malware_download | 2026-05-18 |
hxxp://222.127.170.84:58621/i | online | malware_download | 2026-05-18 |
hxxp://219.156.63.148:42173/bin.sh | online | malware_download | 2026-05-18 |
hxxp://182.113.205.82:34374/bin.sh | online | malware_download | 2026-05-18 |
hxxp://219.155.254.245:38536/i | online | malware_download | 2026-05-18 |
hxxp://219.155.254.245:38536/bin.sh | online | malware_download | 2026-05-18 |
hxxp://222.127.170.84:58621/bin.sh | online | malware_download | 2026-05-18 |
hxxp://182.121.172.140:52585/i | online | malware_download | 2026-05-18 |
hxxp://123.12.23.29:33957/i | online | malware_download | 2026-05-18 |
hxxp://221.202.100.138:35207/bin.sh | online | malware_download | 2026-05-18 |
hxxp://110.39.230.171:45635/i | online | malware_download | 2026-05-18 |
hxxp://71.207.128.92:47503/i | online | malware_download | 2026-05-18 |
hxxp://60.18.105.76:40606/bin.sh | online | malware_download | 2026-05-18 |
hxxp://175.166.2.186:56459/i | online | malware_download | 2026-05-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["182.121.42.112", "125.44.54.67", "110.39.225.173", "108.168.0.60", "27.37.101.250", "221.202.100.138", "123.5.149.180", "175.166.2.186", "182.121.172.140", "182.113.205.82", "110.39.246.147", "42.231.91.251", "219.157.169.22", "222.127.170.84", "123.12.23.29", "182.117.79.107", "71.207.128.92", "219.156.63.148", "219.155.254.245", "60.18.105.76", "110.39.230.171", "117.26.110.91"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["182.121.42.112", "125.44.54.67", "110.39.225.173", "108.168.0.60", "27.37.101.250", "221.202.100.138", "123.5.149.180", "175.166.2.186", "182.121.172.140", "182.113.205.82", "110.39.246.147", "42.231.91.251", "219.157.169.22", "222.127.170.84", "123.12.23.29", "182.117.79.107", "71.207.128.92", "219.156.63.148", "219.155.254.245", "60.18.105.76", "110.39.230.171", "117.26.110.91"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application update via a local HTTP server for compatibility checks.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or are associated with internal testing environments.
Scenario: A scheduled job runs a nightly backup script that uses a 32-bit URL to download a pre-signed S3 bucket object for archival.
Filter/Exclusion: Exclude URLs that match known S3 bucket patterns (e.g., https://s3.amazonaws.com/) or are associated with backup services like AWS Backup or Azure Backup.
Scenario: An IT team is deploying a 32-bit version of a legitimate software tool (e.g., Microsoft .NET Framework) using a script that fetches the installer from a company-approved repository.
Filter/Exclusion: Exclude URLs that match internal software repositories (e.g., https://repo.company.com/) or are signed by known internal certificate authorities.
Scenario: A user is accessing a 32-bit version of a legitimate web application (e.g., a legacy CRM system) hosted on a company’s internal web server.
Filter/Exclusion: Exclude URLs that are internal (e.g., https://crm.internal.company.com/) or are part of a known internal application set.
Scenario: A DevOps pipeline is executing a CI/CD job that pulls a 32-bit dependency from a public package registry (e.g., npm, PyPI) for compatibility with older systems.
Filter/Exclusion: Exclude URLs that match known package registry domains (e.g., https://registry.npmjs.org/, `https://