The detection identifies potential adversary activity involving malicious URLs linked to the URLhaus entry d52f85, which is associated with known malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging these URLs for command and control or data exfiltration.
IOC Summary
Threat: d52f85 Total URLs: 5 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://62.60.226.140/files/7726345600/stqhO73.exe | offline | malware_download | 2026-06-20 |
hxxp://62.60.226.140/tron2/file.exe | offline | malware_download | 2026-06-20 |
hxxp://62.60.226.140/tron3/file.exe | offline | malware_download | 2026-06-20 |
hxxp://62.60.226.140/files/7782139129/qmGXayc.exe | offline | malware_download | 2026-06-20 |
hxxp://62.60.226.140/tron1/file.exe | offline | malware_download | 2026-06-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: d52f85
let malicious_domains = dynamic(["62.60.226.140"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["62.60.226.140"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool using the URL https://short.url/d52f85 as part of a security validation process.
Filter/Exclusion: Exclude URLs containing the string short.url or any URL that matches the internal testing domain.
Scenario: A scheduled job runs a script that fetches updates from a known internal repository hosted at https://repo.internal/d52f85 to apply configuration changes.
Filter/Exclusion: Exclude URLs that match the internal repository domain repo.internal or any URL containing the path /d52f85.
Scenario: A security tool like CrowdStrike Falcon or Microsoft Defender ATP is performing a scheduled scan and generates a report with a URL https://d52f85.report/scan as part of its output.
Filter/Exclusion: Exclude URLs that match the pattern d52f85.report or any URL that contains the string scan in the path.
Scenario: An Ansible playbook is executed that includes a URL https://d52f85.example.com/api/config to retrieve configuration data from a trusted internal API.
Filter/Exclusion: Exclude URLs that match the domain d52f85.example.com or any URL that contains the string api/config.
Scenario: A Windows Task Scheduler job is configured to download a PowerShell script from https://d52f85.update/script.ps1 to apply a patch or update.
Filter/Exclusion: Exclude URLs that match the domain d52f85.update or any URL that contains the string script.ps1 in the path.