The hypothesis is that the detected URLs are malicious 32-bit payloads used by adversaries to execute malicious code on compromised systems. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control communications or initial compromise vectors.
IOC Summary
Threat: 32-bit Total URLs: 15 Active URLs: 15
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://182.126.92.217:57548/i | online | malware_download | 2026-05-19 |
hxxp://115.49.233.54:59614/bin.sh | online | malware_download | 2026-05-19 |
hxxp://42.226.71.215:46885/i | online | malware_download | 2026-05-19 |
hxxp://182.119.69.252:33276/i | online | malware_download | 2026-05-19 |
hxxp://42.233.145.73:42871/i | online | malware_download | 2026-05-19 |
hxxp://182.119.69.252:33276/bin.sh | online | malware_download | 2026-05-19 |
hxxp://110.36.95.246:56753/i | online | malware_download | 2026-05-19 |
hxxp://110.37.70.50:43787/i | online | malware_download | 2026-05-19 |
hxxp://115.55.233.47:49109/i | online | malware_download | 2026-05-19 |
hxxp://182.113.39.27:37092/i | online | malware_download | 2026-05-19 |
hxxp://115.55.44.93:55717/i | online | malware_download | 2026-05-19 |
hxxp://115.48.163.164:54335/i | online | malware_download | 2026-05-19 |
hxxp://115.48.163.164:54335/bin.sh | online | malware_download | 2026-05-19 |
hxxp://110.39.241.244:44243/i | online | malware_download | 2026-05-19 |
hxxp://36.84.115.209:42789/i | online | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 32-bit
let malicious_domains = dynamic(["42.226.71.215", "110.37.70.50", "182.126.92.217", "115.55.44.93", "115.48.163.164", "182.119.69.252", "110.39.241.244", "42.233.145.73", "115.55.233.47", "110.36.95.246", "36.84.115.209", "182.113.39.27", "115.49.233.54"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.226.71.215", "110.37.70.50", "182.126.92.217", "115.55.44.93", "115.48.163.164", "182.119.69.252", "110.39.241.244", "42.233.145.73", "115.55.233.47", "110.36.95.246", "36.84.115.209", "182.113.39.27", "115.49.233.54"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patch deployment using a 32-bit URL
Filter/Exclusion: Exclude URLs containing update.microsoft.com, windowsupdate.microsoft.com, or patch.microsoft.com
Example: url contains "windowsupdate.microsoft.com"
Scenario: Scheduled backup job using a 32-bit script or tool
Filter/Exclusion: Exclude URLs containing backup, restore, or snapshot in the path
Example: url contains "/backup" or url contains "/restore"
Scenario: Admin task involving 32-bit software installation or configuration
Filter/Exclusion: Exclude URLs containing setup.exe, install, or configure in the path
Example: url contains "setup.exe" or url contains "install"
Scenario: Internal tool or service hosted on a 32-bit server with public access
Filter/Exclusion: Exclude URLs from internal IP ranges or subdomains like internal, dev, or test
Example: src_ip in internal_network or url contains "internal."
Scenario: Legitimate 32-bit application download from a trusted vendor
Filter/Exclusion: Exclude URLs from known vendors like download.nvidia.com, support.apple.com, or ftp.gnu.org
Example: url contains "nvidia.com" or url contains "gnu.org"