The ThreatFox: Vidar IOCs rule detects potential command and control activity associated with the Vidar malware, leveraging known indicators linked to its infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises by adversaries using Vidar for data exfiltration and persistence.
IOC Summary
Malware Family: Vidar Total IOCs: 4 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://set.canamrental.com/ | botnet_cc | 2026-06-04 | 100% |
| domain | set.dvlv88.top | botnet_cc | 2026-06-04 | 100% |
| url | hxxps://set.dvlv88.top/ | botnet_cc | 2026-06-04 | 100% |
| domain | set.canamrental.com | botnet_cc | 2026-06-04 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["set.dvlv88.top", "set.canamrental.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://set.canamrental.com/", "https://set.dvlv88.top/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance using schtasks.exe
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known maintenance task names (e.g., WeeklyDiskCleanup or SystemUpdate).
Filter Example: process.exe = schtasks.exe and process.name = schtasks.exe and process.command_line contains "WeeklyDiskCleanup"
Scenario: Use of PowerShell.exe for routine system monitoring via Get-EventLog
Filter/Exclusion: Exclude PowerShell scripts that use Get-EventLog or Get-WinEvent for log analysis.
Filter Example: process.exe = powershell.exe and process.command_line contains "Get-EventLog" or "Get-WinEvent"
Scenario: Administrative task using taskmgr.exe to review running processes
Filter/Exclusion: Exclude process listings initiated by taskmgr.exe or tasklist commands.
Filter Example: process.exe = taskmgr.exe or process.command_line contains "tasklist"
Scenario: Use of certutil.exe to import a trusted certificate for internal CA
Filter/Exclusion: Exclude certutil.exe commands related to certificate import or management.
Filter Example: process.exe = certutil.exe and process.command_line contains " -addstore" or " -importpfx"
Scenario: Legitimate use of msiexec.exe to install a trusted enterprise software package
Filter/Exclusion: Exclude msiexec.exe processes with known internal software installers.
Filter Example: process.exe = msiexec.exe and process.command_line contains " /i " and process.command_line contains "InternalAppInstaller.msi"