ThreatFox: Vidar IOCs | SOC Hunt Feed

Hunt Hypothesis

The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise organizational data integrity and confidentiality.

IOC Summary

Malware Family: Vidar Total IOCs: 87 IOC Types: domain

Type	Value	Threat Type	First Seen	Confidence
domain	`1net.ro`	payload_delivery	2026-05-10	100%
domain	`1sttxreversemtg.com`	payload_delivery	2026-05-10	100%
domain	`allstartsealing.com`	payload_delivery	2026-05-10	100%
domain	`alnuric.org`	payload_delivery	2026-05-10	100%
domain	`aplikasigerhanatoto1.com`	payload_delivery	2026-05-10	100%
domain	`av-automotive.be`	payload_delivery	2026-05-10	100%
domain	`ayuntamientodeyecora.com`	payload_delivery	2026-05-10	100%
domain	`b2b.castorsunglasses.es`	payload_delivery	2026-05-10	100%
domain	`belindabuck.com`	payload_delivery	2026-05-10	100%
domain	`berylsegerschronicles.com.au`	payload_delivery	2026-05-10	100%
domain	`biopelletuab.com`	payload_delivery	2026-05-10	100%
domain	`boilermill.com.br`	payload_delivery	2026-05-10	100%
domain	`buktijpilmu.com`	payload_delivery	2026-05-10	100%
domain	`centralathleticfoundation.com`	payload_delivery	2026-05-10	100%
domain	`ciphercodersweb.com`	payload_delivery	2026-05-10	100%
domain	`cofeusa.com`	payload_delivery	2026-05-10	100%
domain	`columbusisles.com`	payload_delivery	2026-05-10	100%
domain	`compraway.com`	payload_delivery	2026-05-10	100%
domain	`copierondemand.com`	payload_delivery	2026-05-10	100%
domain	`dipfeed.com`	payload_delivery	2026-05-10	100%
domain	`diversidadecatolica.com.br`	payload_delivery	2026-05-10	100%
domain	`drisdellehomes.com`	payload_delivery	2026-05-10	100%
domain	`easttechnicalstudio.com`	payload_delivery	2026-05-10	100%
domain	`eltransistorgranada.com`	payload_delivery	2026-05-10	100%
domain	`energyarts.com.br`	payload_delivery	2026-05-10	100%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["1net.ro", "1sttxreversemtg.com", "allstartsealing.com", "alnuric.org", "aplikasigerhanatoto1.com", "av-automotive.be", "ayuntamientodeyecora.com", "b2b.castorsunglasses.es", "belindabuck.com", "berylsegerschronicles.com.au", "biopelletuab.com", "boilermill.com.br", "buktijpilmu.com", "centralathleticfoundation.com", "ciphercodersweb.com", "cofeusa.com", "columbusisles.com", "compraway.com", "copierondemand.com", "dipfeed.com", "diversidadecatolica.com.br", "drisdellehomes.com", "easttechnicalstudio.com", "eltransistorgranada.com", "energyarts.com.br", "foresightedtech.com", "gazaltours.com", "goldenlifemanor.com", "greyandbold.com", "gustavogorriaran.com.uy", "heachang.com", "hijamawala.co.uk", "hudaaldosari.com", "hzarchitects.com", "ianvance.co.uk", "ideaverdegolf.com", "infodehrifcam.com", "inspiredassistance.com", "jeepbastard.com", "jessicaassociates.com", "josdream.com", "kawamawidows.org", "kkg-wehofen.com", "ktgafurov.com", "lamusedurres.com", "laforetfestas.com.br", "lifemagazine.nl", "lkexcellence.com", "lombardoautomotive.it", "loveworldvirtualchurch.org.uk"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`DnsEvents`	Ensure this data connector is enabled

References

ThreatFox — Vidar

False Positive Guidance

Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled task runs schtasks.exe to perform routine system maintenance, which may trigger the rule due to the presence of schtasks.exe in the IOC list.
Filter/Exclusion: Exclude processes associated with schtasks.exe when executed by the System or Local Service account, or filter by command line arguments containing /create or /run.
Scenario: Admin using Process Monitor (ProcMon) for troubleshooting
Description: An administrator uses ProcMon.exe to investigate performance issues, which may be flagged due to its association with Vidar IOCs.
Filter/Exclusion: Exclude processes with ProcMon.exe when executed by users with administrative privileges or when the process is running in a temporary directory used for troubleshooting.
Scenario: Legitimate use of PowerShell for script execution
Description: A PowerShell script (powershell.exe) is used to automate administrative tasks, such as deploying updates or managing services, which may be flagged due to PowerShell-related IOCs.
Filter/Exclusion: Exclude processes where powershell.exe is executed with a known legitimate script path or when the command line contains -Command or -File with a trusted script location.
Scenario: System file integrity check using DISM
Description: The dism.exe tool is used to scan and repair system image integrity, which may trigger the rule due to its presence in the IOC list.
Filter/Exclusion: Exclude processes initiated by the System account or those that match known DISM command-line arguments like /ScanHealth or /RestoreHealth.
Scenario: Legitimate use of Windows Task Scheduler for automation
Description: A legitimate task scheduled via schtasks.exe runs a script or executable that is flagged due to its association