The hypothesis is that the detected URLs are likely malicious executable files used by adversaries to deliver payloads and compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware infections before they cause widespread damage.
IOC Summary
Threat: exe Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://vrdccbank.com/favour4.exe | online | malware_download | 2026-06-09 |
hxxps://vrdccbank.com/Doppee7.exe | online | malware_download | 2026-06-09 |
hxxps://vrdccbank.com/Freda4.exe | online | malware_download | 2026-06-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: exe
let malicious_domains = dynamic(["vrdccbank.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["vrdccbank.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a legitimate .exe file from a trusted repository (e.g., Microsoft Update or a known software vendor) to install a critical patch or update.
Filter/Exclusion: Exclude URLs that match known trusted update sources (e.g., *.update.microsoft.com, *.download.microsoft.com, or specific vendor domains).
Scenario: A scheduled job runs a PowerShell script that downloads a .exe file from an internal artifact repository (e.g., Nexus or Artifactory) to deploy a configuration change or application update.
Filter/Exclusion: Exclude URLs that originate from internal artifact repositories (e.g., *.nexus.company.com, *.artifactory.company.com) or match known internal IP ranges.
Scenario: A user is using a legitimate tool like PowerShell or CertUtil to download a .exe file from a public CDN (e.g., Azure CDN or AWS S3) to install a third-party application or dependency.
Filter/Exclusion: Exclude URLs that match known CDN domains or are associated with legitimate software distribution channels.
Scenario: A system is running a legitimate scheduled task that uses curl or wget to fetch a .exe file from a company’s internal file server to update a service or configuration.
Filter/Exclusion: Exclude URLs that match internal file server paths (e.g., \\fileserver\shared\updates\*) or are associated with internal IP addresses.
Scenario: A security tool like OSSEC or Tripwire is configured to download a .exe file from a trusted URL to perform a system scan or integrity check.
Filter/Exclusion: Exclude URLs that match known security tool update or scan URLs (e.g., *.ossec.net, *.tripwire.com) or are associated with the tool’s known update