The ThreatFox: Vidar IOCs rule detects potential data exfiltration activity associated with the Vidar malware, which is commonly used to steal credentials and sensitive information via encrypted channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage stolen credentials or phishing to maintain long-term access to sensitive systems.
IOC Summary
Malware Family: Vidar Total IOCs: 5 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://xs.bhaaratkeeshakti.vip/fwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsda/uploads/EFewefwewFEW342234423234feWEEFWWefewefweffewwefEWF.php?file=333.exe | payload_delivery | 2026-04-22 | 75% |
| ip:port | 185[.]56[.]45[.]69:443 | botnet_cc | 2026-04-22 | 100% |
| ip:port | 74[.]0[.]48[.]181:443 | botnet_cc | 2026-04-22 | 100% |
| url | hxxps://185[.]56[.]45[.]69/ | botnet_cc | 2026-04-22 | 100% |
| url | hxxps://74[.]0[.]48[.]181/ | botnet_cc | 2026-04-22 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Vidar
let malicious_ips = dynamic(["74.0.48.181", "185.56.45.69"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["74.0.48.181", "185.56.45.69"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://xs.bhaaratkeeshakti.vip/fwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsda/uploads/EFewefwewFEW342234423234feWEEFWWefewefweffewwefEWF.php?file=333.exe", "https://185.56.45.69/", "https://74.0.48.181/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using Vidar-Related IP
Description: A legitimate scheduled job (e.g., schtasks.exe or at.exe) is configured to communicate with a server that shares an IP address with a known Vidar IOC.
Filter/Exclusion: Check for ProcessName containing schtasks.exe or at.exe and verify if the IP is associated with a known internal or external legitimate service.
Scenario: Admin Task Using Vidar-Related URL
Description: An administrator is using a legitimate tool like PowerShell or curl to interact with a URL that matches a Vidar IOC, such as for API testing or configuration management.
Filter/Exclusion: Filter by ProcessName containing powershell.exe or curl.exe, and check if the URL is part of a known internal or external service used by the organization.
Scenario: Phishing Simulation with Vidar-Related Email
Description: A security team is conducting a phishing simulation using an email template that includes a URL resembling a Vidar IOC to test user response.
Filter/Exclusion: Filter by EmailClient (e.g., Outlook.exe, Thunderbird.exe) and check if the email is part of a known security training or phishing simulation campaign.
Scenario: Network Monitoring Tool Using Vidar-Related IP
Description: A network monitoring tool like Wireshark or tcpdump is capturing traffic to an IP address that matches a Vidar IOC as part of normal network analysis.
Filter/Exclusion: Filter by ProcessName containing wireshark.exe or tcpdump.exe, and verify if the IP is part of a known network monitoring or security tool infrastructure.
**Scenario: Exploit Kit Testing with Vidar-Related