The hypothesis is that the detected URLs are likely malicious executable files used by adversaries to deliver payloads and compromise endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: exe Total URLs: 10 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://github.com/ownertafsakka-beep/OutlastMods/releases/download/V1.0.0/OutlastTrials.exe | online | malware_download | 2026-04-21 |
hxxps://base44.app/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/bdcf186ab_Vexaim-Rust.exe | offline | malware_download | 2026-04-21 |
hxxps://base44.app/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/4e78a8b89_Vexaim-Valorant.exe | offline | malware_download | 2026-04-21 |
hxxps://base44.app/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/0092d6c39_Vexaim-FiveM.exe | offline | malware_download | 2026-04-21 |
hxxps://base44.app/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/449e8790f_Vexaim-Callofduty.exe | offline | malware_download | 2026-04-21 |
hxxps://base44.app/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/d101f069e_Vexaim-Roblox.exe | offline | malware_download | 2026-04-21 |
hxxps://base44.app/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/0b1e3a8e8_Vexaim-HwidSpoofer.exe | offline | malware_download | 2026-04-21 |
hxxps://base44.app/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/c1dd75655_Vexaim-fortnite.exe | offline | malware_download | 2026-04-21 |
hxxps://base44.app/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/2976463be_Vexaim-R6.exe | offline | malware_download | 2026-04-21 |
hxxps://base44.app/api/apps/69d07bbcdc06f301ae50f975/files/mp/public/69d07bbcdc06f301ae50f975/5e29793e1_Vexaim-ApexLegends.exe | offline | malware_download | 2026-04-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: exe
let malicious_domains = dynamic(["github.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["github.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a legitimate .exe file from a trusted source (e.g., Microsoft Update) as part of a routine patch deployment.
Filter/Exclusion: Exclude URLs containing update.microsoft.com or windowsupdate.microsoft.com in the URL field.
Scenario: A scheduled job is running a legitimate software update tool (e.g., Chocolatey or WSUS) that downloads .exe files from internal repositories.
Filter/Exclusion: Exclude URLs containing internal-repo.company.com or chocolatey in the URL field.
Scenario: A user is accessing a legitimate .exe file hosted on a company’s internal file server (e.g., \\fileserver\shared\tools\setup.exe) via a mapped network drive.
Filter/Exclusion: Exclude URLs containing fileserver or \\fileserver in the URL field, or filter by internal IP ranges.
Scenario: A security tool (e.g., CrowdStrike Falcon, Microsoft Defender ATP) is performing a scheduled scan and temporarily downloads a .exe file for signature analysis.
Filter/Exclusion: Exclude URLs containing crowdstrike.com, microsoft.com, or defenderatp.microsoft.com in the URL field.
Scenario: A developer is using a CI/CD pipeline (e.g., Jenkins, GitHub Actions) to deploy a build artifact that includes a .exe file as part of a legitimate application release.
Filter/Exclusion: Exclude URLs containing jenkins, github.com, or ci-cd.pipeline in the URL field.