The detection identifies potential adversary activity involving malicious URLs linked to the URLhaus entry d52f85, which are associated with known malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging these URLs for command and control or data exfiltration.
IOC Summary
Threat: d52f85 Total URLs: 2 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://62.60.226.140/files/8472153909/3FpT6M6.exe | offline | malware_download | 2026-05-31 |
hxxp://62.60.226.140/files/8472153909/hKWQmrM.exe | offline | malware_download | 2026-05-31 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: d52f85
let malicious_domains = dynamic(["62.60.226.140"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["62.60.226.140"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by visiting a known benign URL that matches the d52f85 tag during testing.
Filter/Exclusion: Exclude URLs that are part of internal testing environments or whitelisted by the security team using a custom IP or domain list.
Scenario: A scheduled job runs a script that fetches updates from a public repository (e.g., GitHub Actions) and includes a URL that is mistakenly tagged as d52f85.
Filter/Exclusion: Exclude URLs from known CI/CD platforms like GitHub, GitLab, or Bitbucket using their domain names or IP ranges.
Scenario: A user is accessing a legitimate internal portal that uses a URL pattern matching the d52f85 tag due to a misconfigured URL shortener or legacy system.
Filter/Exclusion: Exclude URLs that originate from internal domains (e.g., internal.example.com) or match a specific regex pattern used by the company’s internal URL shortener.
Scenario: A security tool like CrowdStrike Falcon or Microsoft Defender is performing a scheduled scan and generates a URL that is falsely tagged as d52f85 during its analysis process.
Filter/Exclusion: Exclude URLs that are generated by security tools or sandbox environments using a known list of such tools or their internal IP ranges.
Scenario: A backup or sync job (e.g., Veeam, Rsync, or rsync) is transferring files over HTTP and includes a URL that is flagged due to a misconfigured or outdated URL tagging system.
Filter/Exclusion: Exclude URLs that are part of backup or sync operations by checking for specific headers, user agents, or source IP ranges associated with backup systems.