The hunt hypothesis detects potential exfiltration and persistence activities by the Dcrat RAT, which is commonly delivered through malicious URLs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises and prevent data exfiltration.
IOC Summary
Threat: dcrat Total URLs: 6 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://64.89.160.17/System1.vbs | online | malware_download | 2026-05-27 |
hxxps://raw.githubusercontent.com/cabeto850128/comicsam/refs/heads/main/kiSBJ4DDvg.pif | online | malware_download | 2026-05-27 |
hxxp://64.89.160.17/System2.vbs | online | malware_download | 2026-05-27 |
hxxps://raw.githubusercontent.com/cabeto850128/comicsam/refs/heads/main/CdBhhfa.html | online | malware_download | 2026-05-27 |
hxxps://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2F1%20link%20dll.txt?alt=media&token=e7389ad2-4ad9-4fb7-bf60-2a502bbb6c6c | online | malware_download | 2026-05-27 |
hxxp://64.89.160.17/System.vbs | offline | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: dcrat
let malicious_domains = dynamic(["firebasestorage.googleapis.com", "raw.githubusercontent.com", "64.89.160.17"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["firebasestorage.googleapis.com", "raw.githubusercontent.com", "64.89.160.17"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via URLhaus-Listed URL
Description: A system administrator manually updates software using a URL from the URLhaus list, which is known to host malicious URLs but is also used for legitimate security research purposes.
Filter/Exclusion: Exclude URLs that match known security tool repositories (e.g., https://urlhaus.abuse.ch, https://virusshare.com, or https://malware-traffic-light.com).
Scenario: Scheduled Job for Threat Intelligence Feeds
Description: A scheduled job runs to fetch threat intelligence feeds from URLhaus, which includes URLs that may be flagged by the detection rule.
Filter/Exclusion: Exclude traffic originating from internal threat intelligence systems (e.g., 10.0.0.0/8 or specific internal IP ranges used by SIEM or SOAR tools like Splunk, Palo Alto Prisma Access, or IBM QRadar).
Scenario: Admin Accessing Malicious URL for Analysis
Description: A security analyst or SOC team member accesses a URL from URLhaus to analyze its behavior in a sandboxed environment.
Filter/Exclusion: Exclude user agents that match internal security tools (e.g., Mozilla/5.0 (X11; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0 or Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)).
Scenario: Legitimate Software Distribution via Phishing-Resistant URL
Description: A company uses a phishing-resistant URL shortener (e.g., bitly.com, rebrandly.com) to distribute legitimate software updates, which may be mistakenly flagged by the rule.