The ThreatFox: Vidar IOCs rule detects potential command and control activity associated with the Vidar malware, leveraging known indicators linked to its infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be exfiltrating data or establishing persistence within the network.
IOC Summary
Malware Family: Vidar Total IOCs: 5 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://sam.glamisdunesrentals.com/ | botnet_cc | 2026-06-10 | 100% |
| domain | sam.gagahsm188.top | botnet_cc | 2026-06-10 | 100% |
| url | hxxps://sam.gagahsm188.top/ | botnet_cc | 2026-06-10 | 100% |
| domain | sam.glamisdunesrentals.com | botnet_cc | 2026-06-10 | 100% |
| url | hxxps://mhsbm.gi/ | payload_delivery | 2026-06-10 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["sam.gagahsm188.top", "sam.glamisdunesrentals.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://sam.glamisdunesrentals.com/", "https://sam.gagahsm188.top/", "https://mhsbm.gi/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance using schtasks.exe
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known legitimate task names (e.g., Windows Update, Disk Defragmenter)
Scenario: Admin using PowerShell to generate reports with Export-Csv
Filter/Exclusion: Exclude PowerShell scripts that use Export-Csv and are executed from known admin tools or scripts located in the C:\Windows\System32 directory
Scenario: IT staff using PsExec to remotely manage services on the network
Filter/Exclusion: Exclude processes initiated by PsExec with valid service names and originating from trusted IP ranges or internal network segments
Scenario: Regular use of Windows Task Scheduler for log cleanup
Filter/Exclusion: Exclude tasks that run under SYSTEM context and are associated with log cleanup or event log management tools like eventvwr.exe
Scenario: Use of CertUtil for certificate management in a secure environment
Filter/Exclusion: Exclude processes involving CertUtil that are part of certificate renewal or management workflows, especially when executed by domain administrators or from trusted certificate stores