← Back to SOC feed Coverage →

ThreatFox: Vidar IOCs

ioc-hunt HIGH ThreatFox
CommonSecurityLogDeviceNetworkEventsDnsEventsUrlClickEvents
iocthreatfoxwin-vidar
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at ThreatFox →
Retrieved: 2026-06-22T11:00:00Z · Confidence: high

Hunt Hypothesis

The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise critical systems and data.

IOC Summary

Malware Family: Vidar Total IOCs: 48 IOC Types: ip:port, url, domain

TypeValueThreat TypeFirst SeenConfidence
domaingwe.utvrent.combotnet_cc2026-06-22100%
urlhxxps://gwe.utvrent.com/botnet_cc2026-06-22100%
domaingwe.hitamsm188.topbotnet_cc2026-06-22100%
urlhxxps://gwe.hitamsm188.top/botnet_cc2026-06-22100%
ip:port5[.]75[.]221[.]125:443botnet_cc2026-06-22100%
ip:port91[.]98[.]109[.]24:443botnet_cc2026-06-22100%
ip:port167[.]233[.]132[.]8:443botnet_cc2026-06-22100%
urlhxxps://5[.]75[.]221[.]125/botnet_cc2026-06-22100%
urlhxxps://91[.]98[.]109[.]24/botnet_cc2026-06-22100%
urlhxxps://167[.]233[.]132[.]8/botnet_cc2026-06-22100%
ip:port65[.]109[.]246[.]92:443botnet_cc2026-06-22100%
ip:port91[.]98[.]96[.]126:443botnet_cc2026-06-22100%
ip:port91[.]98[.]105[.]63:443botnet_cc2026-06-22100%
ip:port91[.]98[.]106[.]140:443botnet_cc2026-06-22100%
ip:port95[.]217[.]244[.]13:443botnet_cc2026-06-22100%
ip:port91[.]98[.]99[.]76:443botnet_cc2026-06-22100%
ip:port91[.]98[.]100[.]19:443botnet_cc2026-06-22100%
ip:port95[.]217[.]244[.]189:443botnet_cc2026-06-22100%
urlhxxps://91[.]98[.]96[.]126/botnet_cc2026-06-22100%
urlhxxps://91[.]98[.]105[.]63/botnet_cc2026-06-22100%
urlhxxps://91[.]98[.]106[.]140/botnet_cc2026-06-22100%
urlhxxps://95[.]217[.]244[.]13/botnet_cc2026-06-22100%
urlhxxps://91[.]98[.]99[.]76/botnet_cc2026-06-22100%
urlhxxps://91[.]98[.]100[.]19/botnet_cc2026-06-22100%
urlhxxps://95[.]217[.]244[.]189/botnet_cc2026-06-22100%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Vidar
let malicious_ips = dynamic(["91.99.3.169", "95.217.244.13", "46.224.16.213", "178.104.113.24", "91.98.109.24", "167.233.132.8", "5.75.221.125", "65.109.246.92", "91.98.100.19", "167.233.131.186", "91.98.99.76", "178.104.255.247", "159.69.221.162", "91.98.106.140", "167.233.112.191", "95.217.244.189", "46.62.226.239", "91.98.105.63", "91.98.96.126"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.99.3.169", "95.217.244.13", "46.224.16.213", "178.104.113.24", "91.98.109.24", "167.233.132.8", "5.75.221.125", "65.109.246.92", "91.98.100.19", "167.233.131.186", "91.98.99.76", "178.104.255.247", "159.69.221.162", "91.98.106.140", "167.233.112.191", "95.217.244.189", "46.62.226.239", "91.98.105.63", "91.98.96.126"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["gwe.utvrent.com", "gwe.hitamsm188.top", "cht.hitamsm188.top", "cht.utvrent.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://gwe.utvrent.com/", "https://gwe.hitamsm188.top/", "https://5.75.221.125/", "https://91.98.109.24/", "https://167.233.132.8/", "https://91.98.96.126/", "https://91.98.105.63/", "https://91.98.106.140/", "https://95.217.244.13/", "https://91.98.99.76/", "https://91.98.100.19/", "https://95.217.244.189/", "https://65.109.246.92/", "https://91.99.3.169/", "https://178.104.255.247/", "https://159.69.221.162/", "https://178.104.113.24/", "https://167.233.112.191/", "https://steamcommunity.com/profiles/76561198684471717", "https://telegram.me/t0mdr", "https://cht.hitamsm188.top/", "https://cht.utvrent.com/", "https://46.224.16.213/", "https://46.62.226.239/", "https://167.233.131.186/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled
DeviceNetworkEventsEnsure this data connector is enabled
DnsEventsEnsure this data connector is enabled
UrlClickEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://threatfox.abuse.ch/browse/malware/win.vidar/