The detection identifies potential adversary activity involving malicious URLs associated with the URLhaus tag d52f85, which are commonly used for phishing and malware distribution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts before they lead to data exfiltration or system compromise.
IOC Summary
Threat: d52f85 Total URLs: 2 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://62.60.226.140/files/7640890992/e7RwnpZ.exe | offline | malware_download | 2026-05-26 |
hxxp://62.60.226.140/files/7774414118/t0HVTP7.msi | offline | malware_download | 2026-05-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: d52f85
let malicious_domains = dynamic(["62.60.226.140"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["62.60.226.140"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint protection tool by visiting a known benign URL from the URLhaus database for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus database and are tagged with d52f85 when the source is a known admin tool or internal testing environment.
Scenario: A scheduled job runs a script to download and verify malware samples from a trusted internal repository, which includes URLs tagged as d52f85 for signature validation.
Filter/Exclusion: Exclude URLs that originate from internal repositories or are part of automated malware analysis workflows.
Scenario: A user is accessing a legitimate cloud storage service (e.g., Google Drive, Dropbox) that has been flagged by URLhaus due to a previous compromise, but the user is accessing their own files.
Filter/Exclusion: Exclude URLs that are associated with user-owned cloud storage accounts or are part of a known legitimate service.
Scenario: A security tool (e.g., CrowdStrike, SentinelOne) is performing a live response action and is downloading a payload from a URL tagged as d52f85 for analysis.
Filter/Exclusion: Exclude URLs that are part of live response or incident response activities involving known security tools.
Scenario: A developer is using a CI/CD pipeline (e.g., Jenkins, GitHub Actions) to fetch dependencies from a public repository, and one of the URLs is mistakenly tagged as d52f85 in the URLhaus database.
Filter/Exclusion: Exclude URLs that are part of CI/CD pipelines or public dependency sources, especially when the request is initiated by a known build or deployment tool.