The detection identifies potential 32-bit malware distribution through malicious URLs, which adversaries may use to deliver payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that leverage outdated 32-bit infrastructure to evade modern defenses.
IOC Summary
Threat: 32-bit Total URLs: 47 Active URLs: 47
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://125.44.194.80:49682/i | online | malware_download | 2026-05-21 |
hxxp://123.188.118.239:45402/bin.sh | online | malware_download | 2026-05-21 |
hxxp://125.41.228.139:52437/i | online | malware_download | 2026-05-21 |
hxxp://110.36.80.171:37569/i | online | malware_download | 2026-05-21 |
hxxp://42.232.28.29:44096/bin.sh | online | malware_download | 2026-05-21 |
hxxp://110.36.20.85:36342/bin.sh | online | malware_download | 2026-05-21 |
hxxp://61.52.33.251:33922/i | online | malware_download | 2026-05-21 |
hxxp://110.36.80.171:37569/bin.sh | online | malware_download | 2026-05-21 |
hxxp://182.113.28.168:34795/i | online | malware_download | 2026-05-21 |
hxxp://222.138.226.177:55678/i | online | malware_download | 2026-05-21 |
hxxp://125.41.229.8:60369/i | online | malware_download | 2026-05-21 |
hxxp://182.127.31.78:43759/i | online | malware_download | 2026-05-21 |
hxxp://61.52.33.251:33922/bin.sh | online | malware_download | 2026-05-21 |
hxxp://115.48.35.173:42283/i | online | malware_download | 2026-05-21 |
hxxp://125.41.229.8:60369/bin.sh | online | malware_download | 2026-05-21 |
hxxp://182.127.31.78:43759/bin.sh | online | malware_download | 2026-05-21 |
hxxp://115.63.119.214:40611/i | online | malware_download | 2026-05-21 |
hxxp://182.113.204.145:52389/i | online | malware_download | 2026-05-21 |
hxxp://115.48.35.173:42283/bin.sh | online | malware_download | 2026-05-21 |
hxxp://182.113.204.145:52389/bin.sh | online | malware_download | 2026-05-21 |
hxxp://123.4.164.205:41652/i | online | malware_download | 2026-05-21 |
hxxp://115.63.119.214:40611/bin.sh | online | malware_download | 2026-05-21 |
hxxp://125.43.36.162:33705/i | online | malware_download | 2026-05-21 |
hxxp://123.5.185.161:40568/i | online | malware_download | 2026-05-21 |
hxxp://125.41.75.58:52257/i | online | malware_download | 2026-05-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["115.63.119.214", "123.5.185.161", "125.41.228.139", "110.36.20.85", "125.43.36.162", "182.113.204.145", "125.41.229.8", "182.127.31.78", "123.188.118.239", "61.52.46.71", "125.46.150.200", "222.138.226.177", "115.48.35.173", "182.126.122.64", "61.52.33.251", "110.36.80.171", "222.142.245.198", "125.41.75.58", "125.44.194.80", "182.113.28.168", "61.53.202.5", "42.232.28.29", "123.4.164.205"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.63.119.214", "123.5.185.161", "125.41.228.139", "110.36.20.85", "125.43.36.162", "182.113.204.145", "125.41.229.8", "182.127.31.78", "123.188.118.239", "61.52.46.71", "125.46.150.200", "222.138.226.177", "115.48.35.173", "182.126.122.64", "61.52.33.251", "110.36.80.171", "222.142.245.198", "125.41.75.58", "125.44.194.80", "182.113.28.168", "61.53.202.5", "42.232.28.29", "123.4.164.205"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a 32-bit application using a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match known internal testing URLs or those tagged with urlhaus_test in the URLhaus database.
Scenario: A scheduled job runs a 32-bit legacy application that requires downloading a dependency from a URL listed in URLhaus as a known malicious URL.
Filter/Exclusion: Exclude URLs that are part of a whitelisted dependency list for legacy applications, or filter by the presence of a trusted_vendor tag in the URLhaus entry.
Scenario: A user is accessing a 32-bit version of a legitimate enterprise tool (e.g., Microsoft Office 32-bit) that is hosted on an internal server with a URL that matches a URLhaus entry.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or are tagged with internal or enterprise in the URLhaus database.
Scenario: A security tool like OSSEC or Splunk is configured to fetch updates from a URL that is mistakenly listed in URLhaus as a 32-bit malicious URL.
Filter/Exclusion: Exclude URLs that are part of a known security tool update feed, or add a filter for URLs containing update or patch in the URL path.
Scenario: A system is running a Windows 32-bit service that periodically connects to a URL for logging or monitoring, and that URL is falsely flagged in URLhaus.
Filter/Exclusion: Exclude URLs that are associated with known internal monitoring services or are tagged with monitoring or logging in the URLhaus entry.