The ThreatFox: Vidar IOCs rule detects potential credential-stealing activity associated with the Vidar malware, which exfiltrates sensitive data via encrypted channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats targeting financial institutions before significant data loss occurs.
IOC Summary
Malware Family: Vidar Total IOCs: 12 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | tth.bolaturbo88.top | botnet_cc | 2026-05-28 | 100% |
| url | hxxps://tth.bolaturbo88.top/ | botnet_cc | 2026-05-28 | 100% |
| domain | tth.matriculaflix.com | botnet_cc | 2026-05-28 | 100% |
| url | hxxps://tth.matriculaflix.com/ | botnet_cc | 2026-05-28 | 100% |
| domain | bla.matriculadores.com | botnet_cc | 2026-05-28 | 100% |
| url | hxxps://bla.matriculadores.com/ | botnet_cc | 2026-05-28 | 100% |
| url | hxxps://bla.bolaturbo88.top/ | botnet_cc | 2026-05-28 | 100% |
| domain | bla.bolaturbo88.top | botnet_cc | 2026-05-28 | 100% |
| url | hxxps://ski.matriculadores.com/ | botnet_cc | 2026-05-27 | 100% |
| domain | ski.awansm188.top | botnet_cc | 2026-05-27 | 100% |
| url | hxxps://ski.awansm188.top/ | botnet_cc | 2026-05-27 | 100% |
| domain | ski.matriculadores.com | botnet_cc | 2026-05-27 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["tth.bolaturbo88.top", "tth.matriculaflix.com", "bla.matriculadores.com", "bla.bolaturbo88.top", "ski.awansm188.top", "ski.matriculadores.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://tth.bolaturbo88.top/", "https://tth.matriculaflix.com/", "https://bla.matriculadores.com/", "https://bla.bolaturbo88.top/", "https://ski.matriculadores.com/", "https://ski.awansm188.top/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance
Description: A system administrator schedules a PowerShell script using Task Scheduler to perform routine maintenance tasks, such as log rotation or disk cleanup. The script may use powershell.exe with arguments that resemble malicious command-line patterns.
Filter/Exclusion: Check for taskname containing “maintenance” or “logrotate” and exclude processes initiated by the System or Local System account.
Scenario: Admin using PowerShell for remote management
Description: An administrator uses PowerShell Remoting (Invoke-Command) to execute commands on remote servers, which may trigger the rule due to the use of powershell.exe and command-line arguments that match known Vidar IOCs.
Filter/Exclusion: Filter by process.parentprocessname containing “powershell” or check for remotehost in the event data to identify legitimate remote management activity.
Scenario: Legitimate use of PsExec for administrative tasks
Description: A sysadmin uses PsExec to run a command on a remote machine, which may be flagged due to the use of psexec.exe and command-line arguments that resemble malicious payloads.
Filter/Exclusion: Exclude processes where process.parentprocessname is “psexec.exe” and the command line includes known admin tools like net use or wmic.
Scenario: Automated backup script using PowerShell
Description: A backup script written in PowerShell is executed by a scheduled task, which may trigger the rule due to the use of powershell.exe and command-line arguments that match known Vidar IOCs.
Filter/Exclusion: Filter by process.commandline containing “backup” or “restore” and exclude processes initiated by the Backup service or scheduled tasks with known backup names.
**Scenario: Legitimate use of PsExec for software