The ThreatFox: Vidar IOCs rule detects potential command and control communication associated with the Vidar malware, leveraging known indicators to identify compromised endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that leverage Vidar for data exfiltration and persistence.
IOC Summary
Malware Family: Vidar Total IOCs: 6 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | caccc2e6232c63bdd21bfaf65eff6c78 | payload | 2026-06-14 | 95% |
| sha256_hash | 7b16ec86306d55b3dcdfb7897bb9dcc059b8fa2cd9ebfc31b801838f2652f81e | payload | 2026-06-14 | 95% |
| sha1_hash | 867e6e4e62e6a48b29439da2b1299f650e2769ec | payload | 2026-06-14 | 95% |
| md5_hash | 2eb88c1364140da4d32f9d21487cef9f | payload | 2026-06-14 | 95% |
| sha256_hash | d7f510d73fa0c926a8e0fccf92c99fcaadcd58708227368a4878663bc0ec2587 | payload | 2026-06-14 | 95% |
| sha1_hash | a15195daaadb5efc0f393cbc6caf3b3abb3393c7 | payload | 2026-06-14 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Vidar
let malicious_hashes = dynamic(["caccc2e6232c63bdd21bfaf65eff6c78", "7b16ec86306d55b3dcdfb7897bb9dcc059b8fa2cd9ebfc31b801838f2652f81e", "867e6e4e62e6a48b29439da2b1299f650e2769ec", "2eb88c1364140da4d32f9d21487cef9f", "d7f510d73fa0c926a8e0fccf92c99fcaadcd58708227368a4878663bc0ec2587", "a15195daaadb5efc0f393cbc6caf3b3abb3393c7"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via Microsoft Update
Filter/Exclusion: Check for process.name containing “WindowsUpdate” or “msiexec” and ensure the process.parent.name is “svchost” or “taskhost”.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Filter for process.name containing “veeam” and check for process.parent.name being “services.exe” or “vmtoolsd”.
Scenario: Admin task using PowerShell for log management
Filter/Exclusion: Filter for process.name containing “powershell.exe” and check for process.parent.name being “services.exe” or “taskhost” with a command line containing “log” or “event”.
Scenario: Legitimate remote desktop session using Microsoft Remote Desktop
Filter/Exclusion: Filter for process.name containing “mstsc.exe” and check for process.parent.name being “explorer.exe” or “logonui.exe”.
Scenario: Regular use of Process Monitor (ProcMon) for troubleshooting
Filter/Exclusion: Filter for process.name containing “procmon.exe” and check for process.parent.name being “explorer.exe” or “svchost.exe” with a command line containing “log” or “trace”.