The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise organizational data integrity and confidentiality.
IOC Summary
Malware Family: Vidar Total IOCs: 10 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://prd.sm188login.icu/ | botnet_cc | 2026-06-19 | 100% |
| domain | prd.sm188login.icu | botnet_cc | 2026-06-19 | 100% |
| url | hxxps://prd.rzrrent.com/ | botnet_cc | 2026-06-19 | 75% |
| domain | prd.rzrrent.com | botnet_cc | 2026-06-19 | 75% |
| url | hxxps://prd.harussm188.top/ | botnet_cc | 2026-06-19 | 75% |
| domain | prd.harussm188.top | botnet_cc | 2026-06-19 | 75% |
| url | hxxps://fed.rzrrent.com/ | botnet_cc | 2026-06-19 | 75% |
| domain | fed.rzrrent.com | botnet_cc | 2026-06-19 | 75% |
| url | hxxps://fed.harussm188.top/ | botnet_cc | 2026-06-19 | 75% |
| domain | fed.harussm188.top | botnet_cc | 2026-06-19 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["prd.sm188login.icu", "prd.rzrrent.com", "prd.harussm188.top", "fed.rzrrent.com", "fed.harussm188.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://prd.sm188login.icu/", "https://prd.rzrrent.com/", "https://prd.harussm188.top/", "https://fed.rzrrent.com/", "https://fed.harussm188.top/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance
Filter/Exclusion: Exclude processes associated with schtasks.exe or Task Scheduler with known maintenance tasks (e.g., Cleanup-SystemTemp or DiskCleanup).
Scenario: Admin using PowerShell for log analysis
Filter/Exclusion: Exclude PowerShell scripts executed by powershell.exe with known admin tools (e.g., Get-EventLog, Get-WinEvent, or scripts in the C:\Windows\System32\WindowsPowerShell\v1.0\ directory).
Scenario: Use of Process Monitor (ProcMon) for troubleshooting
Filter/Exclusion: Exclude processes launched by ProcMon.exe or Procmon64.exe with known file system monitoring activities (e.g., C:\Windows\System32\procmon64.exe).
Scenario: Legitimate use of Windows Defender for malware scanning
Filter/Exclusion: Exclude processes associated with MsMpEng.exe or Windows Defender with known scan tasks (e.g., FullScan or QuickScan).
Scenario: Use of Microsoft Endpoint Configuration Manager (MECM) for policy deployment
Filter/Exclusion: Exclude processes related to ConfigMgr or SMS Executive (e.g., ccmexec.exe, ccmsetup.exe) with known deployment tasks.