The ThreatFox: Vidar IOCs rule detects potential credential-stealing activity associated with the Vidar malware, which exfiltrates sensitive data via encrypted channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats targeting banking credentials and system information before significant damage occurs.
IOC Summary
Malware Family: Vidar Total IOCs: 16 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | hit.canamrental.com | botnet_cc | 2026-06-02 | 100% |
| url | hxxps://hit.canamrental.com/ | botnet_cc | 2026-06-02 | 100% |
| domain | hit.duitsm188.top | botnet_cc | 2026-06-02 | 100% |
| url | hxxps://hit.duitsm188.top/ | botnet_cc | 2026-06-02 | 100% |
| url | hxxps://hit.dism188.top/ | botnet_cc | 2026-06-02 | 100% |
| domain | hit.bluewestgroup.com | botnet_cc | 2026-06-02 | 100% |
| url | hxxps://hit.bluewestgroup.com/ | botnet_cc | 2026-06-02 | 100% |
| domain | hit.dism188.top | botnet_cc | 2026-06-02 | 100% |
| url | hxxps://kpa.bluewestgroup.com/ | botnet_cc | 2026-06-02 | 100% |
| domain | kpa.dism188.top | botnet_cc | 2026-06-02 | 100% |
| url | hxxps://kpa.dism188.top/ | botnet_cc | 2026-06-02 | 100% |
| domain | kpa.bluewestgroup.com | botnet_cc | 2026-06-02 | 100% |
| url | hxxps://tts.dism188.top/ | botnet_cc | 2026-06-01 | 100% |
| domain | tts.dism188.top | botnet_cc | 2026-06-01 | 100% |
| domain | tts.bluewestgroup.com | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://tts.bluewestgroup.com/ | botnet_cc | 2026-06-01 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["hit.canamrental.com", "hit.duitsm188.top", "hit.bluewestgroup.com", "hit.dism188.top", "kpa.dism188.top", "kpa.bluewestgroup.com", "tts.dism188.top", "tts.bluewestgroup.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://hit.canamrental.com/", "https://hit.duitsm188.top/", "https://hit.dism188.top/", "https://hit.bluewestgroup.com/", "https://kpa.bluewestgroup.com/", "https://kpa.dism188.top/", "https://tts.dism188.top/", "https://tts.bluewestgroup.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses curl or wget to fetch updates from an internal repository.
Filter/Exclusion: Exclude processes initiated by Task Scheduler with the command line containing internal-repo.com or update-script.sh.
Scenario: Admin Using PowerShell for Log Collection
Description: An admin uses PowerShell to collect logs from remote servers using Invoke-Command and Export-Clixml.
Filter/Exclusion: Exclude processes with PowerShell.exe where the command line includes Export-Clixml or Invoke-Command and the source IP is within the internal network range.
Scenario: Automated Backup Job Using rsync
Description: A backup job uses rsync to synchronize data between servers, which may involve transferring files over SSH.
Filter/Exclusion: Exclude processes with rsync where the destination is a known backup server or the command line includes --backup or --exclude.
Scenario: Internal Monitoring Tool Using HTTP Requests
Description: A monitoring tool like Prometheus or Zabbix sends HTTP requests to internal endpoints for metrics collection.
Filter/Exclusion: Exclude traffic from the monitoring tool’s service account or processes with curl or wget targeting internal metric endpoints.
Scenario: User Running a Script to Download a Trusted Artifact
Description: A user runs a script to download a trusted binary from a known internal artifact repository.
Filter/Exclusion: Exclude processes where the user is a trusted admin and the download URL is from a known internal artifact server (e.g., artifactory.example.com).