The ThreatFox: Vidar IOCs rule detects potential command and control activity associated with the Vidar malware, leveraging known indicators to identify compromised hosts. SOC teams should proactively hunt for this behavior in Azure Sentinel to mitigate lateral movement and data exfiltration risks early in the attack lifecycle.
IOC Summary
Malware Family: Vidar Total IOCs: 19 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | aandjequipmentrental.com | payload_delivery | 2026-05-17 | 100% |
| domain | angelphonerepair.com | payload_delivery | 2026-05-17 | 100% |
| domain | artmadasenegal.com | payload_delivery | 2026-05-17 | 100% |
| domain | beltboutique.co.uk | payload_delivery | 2026-05-17 | 100% |
| domain | boostpadel.se | payload_delivery | 2026-05-17 | 100% |
| domain | deriveratreeservice.com | payload_delivery | 2026-05-17 | 100% |
| domain | divinni.com.br | payload_delivery | 2026-05-17 | 100% |
| domain | downholeinjection.com | payload_delivery | 2026-05-17 | 100% |
| domain | euroequipment.co.th | payload_delivery | 2026-05-17 | 100% |
| domain | foodturerebels.com | payload_delivery | 2026-05-17 | 100% |
| domain | fotomedia.hr | payload_delivery | 2026-05-17 | 100% |
| domain | gsmtax.com | payload_delivery | 2026-05-17 | 100% |
| domain | istriamaestranza.cl | payload_delivery | 2026-05-17 | 100% |
| domain | linxiabeautyworks.com | payload_delivery | 2026-05-17 | 100% |
| domain | metaa.co.mz | payload_delivery | 2026-05-17 | 100% |
| domain | semperfimovers.com | payload_delivery | 2026-05-17 | 100% |
| domain | thegingamebroadway.com | payload_delivery | 2026-05-17 | 100% |
| domain | womenincancer.com | payload_delivery | 2026-05-17 | 100% |
| domain | worldrank.net | payload_delivery | 2026-05-17 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["aandjequipmentrental.com", "angelphonerepair.com", "artmadasenegal.com", "beltboutique.co.uk", "boostpadel.se", "deriveratreeservice.com", "divinni.com.br", "downholeinjection.com", "euroequipment.co.th", "foodturerebels.com", "fotomedia.hr", "gsmtax.com", "istriamaestranza.cl", "linxiabeautyworks.com", "metaa.co.mz", "semperfimovers.com", "thegingamebroadway.com", "womenincancer.com", "worldrank.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to perform routine system diagnostics and logs are being written to C:\Windows\Temp\diagnostics.log.
Filter/Exclusion: Exclude files with the path C:\Windows\Temp\* or filter by process name powershell.exe with a known benign command line.
Scenario: A scheduled job runs Task Scheduler to clean up temporary files, and the script uses PsExec to execute a cleanup command on remote machines.
Filter/Exclusion: Exclude processes initiated by Task Scheduler or filter by the presence of psexec.exe in the command line with known benign arguments.
Scenario: A SIEM log collection agent writes logs to C:\ProgramData\LogCollector\logs and uses LogParser to process them.
Filter/Exclusion: Exclude files in the path C:\ProgramData\LogCollector\* or filter by process name logparser.exe with known log processing arguments.
Scenario: A Windows Update installation process temporarily creates files in C:\Windows\SoftwareDistribution\Download.
Filter/Exclusion: Exclude files in the path C:\Windows\SoftwareDistribution\* or filter by process name wuauclt.exe or svchost.exe associated with Windows Update.
Scenario: A database backup job runs using SQL Server Agent and writes to *C:\Backup\SQLBackups* using SQLCMD.
Filter/Exclusion: Exclude files in the path C:\Backup\SQLBackups\* or filter by process name sqlcmd.exe or sqlagent.exe with known backup command lines.