The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging Vidar’s capabilities before significant data loss occurs.
IOC Summary
Malware Family: Vidar Total IOCs: 15 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://get.rzrrent.com/ | botnet_cc | 2026-06-17 | 75% |
| domain | get.rzrrent.com | botnet_cc | 2026-06-17 | 75% |
| url | hxxps://get.hanyasm188.top/ | botnet_cc | 2026-06-17 | 75% |
| domain | get.hanyasm188.top | botnet_cc | 2026-06-17 | 75% |
| url | hxxps://tnd.rzrrent.com/ | botnet_cc | 2026-06-17 | 100% |
| domain | tnd.hanyasm188.top | botnet_cc | 2026-06-17 | 100% |
| url | hxxps://tnd.hanyasm188.top/ | botnet_cc | 2026-06-17 | 100% |
| domain | tnd.rzrrent.com | botnet_cc | 2026-06-17 | 100% |
| domain | code-verification-js.beer | botnet_cc | 2026-06-17 | 100% |
| domain | verification-code-js.beer | botnet_cc | 2026-06-17 | 100% |
| domain | chinarice.asia | botnet_cc | 2026-06-17 | 100% |
| url | hxxps://svb.rzrrent.com/ | botnet_cc | 2026-06-17 | 100% |
| domain | svb.hanyasm188.top | botnet_cc | 2026-06-17 | 100% |
| url | hxxps://svb.hanyasm188.top/ | botnet_cc | 2026-06-17 | 100% |
| domain | svb.rzrrent.com | botnet_cc | 2026-06-17 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["get.rzrrent.com", "get.hanyasm188.top", "tnd.hanyasm188.top", "tnd.rzrrent.com", "code-verification-js.beer", "verification-code-js.beer", "chinarice.asia", "svb.hanyasm188.top", "svb.rzrrent.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://get.rzrrent.com/", "https://get.hanyasm188.top/", "https://tnd.rzrrent.com/", "https://tnd.hanyasm188.top/", "https://svb.rzrrent.com/", "https://svb.hanyasm188.top/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern due to similar file names or paths.
Filter/Exclusion: Exclude tasks associated with schtasks.exe or Task Scheduler with known maintenance scripts (e.g., C:\Windows\System32\schedsvc.exe).
Scenario: Admin Tool for Log Management
Description: An admin uses a tool like LogParser.exe or PowerShell scripts to parse and analyze logs, which may include paths or commands resembling Vidar IOCs.
Filter/Exclusion: Exclude processes initiated by PowerShell.exe or LogParser.exe with known log analysis scripts or from the C:\Windows\System32\ directory.
Scenario: Antivirus Quarantine Scan
Description: A legitimate antivirus tool (e.g., Malwarebytes, Bitdefender) quarantines a file that matches the IOC pattern during a scan.
Filter/Exclusion: Exclude processes related to antivirus tools (e.g., mbam.exe, bdagent.exe) or files in quarantine directories.
Scenario: Database Backup Job
Description: A database backup job (e.g., SQL Server Backup, MySQL Dump) generates temporary files or logs that match the IOC pattern.
Filter/Exclusion: Exclude processes related to sqlbackup.exe, mysqldump.exe, or files in backup directories (e.g., C:\ProgramData\MySQL\).
Scenario: Network Monitoring Tool
Description: A network monitoring tool (e.g., Wireshark, tcpdump) generates logs or output files that contain strings matching Vidar IOCs.
Filter/Exclusion: Exclude processes related to Wireshark.exe, `tcpdump