The ThreatFox: Vidar IOCs rule detects potential data exfiltration activity associated with the Vidar malware, which is commonly used to steal sensitive information from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Vidar for long-term data theft.
IOC Summary
Malware Family: Vidar Total IOCs: 11 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 195[.]201[.]253[.]58:443 | botnet_cc | 2026-04-24 | 75% |
| ip:port | 178[.]104[.]213[.]40:443 | botnet_cc | 2026-04-24 | 100% |
| ip:port | 185[.]56[.]45[.]79:443 | botnet_cc | 2026-04-24 | 100% |
| ip:port | 178[.]105[.]3[.]9:443 | botnet_cc | 2026-04-24 | 100% |
| ip:port | 178[.]105[.]15[.]180:443 | botnet_cc | 2026-04-24 | 100% |
| ip:port | 185[.]56[.]45[.]50:443 | botnet_cc | 2026-04-24 | 100% |
| url | hxxps://185[.]56[.]45[.]50/ | botnet_cc | 2026-04-24 | 100% |
| url | hxxps://178[.]104[.]213[.]40/ | botnet_cc | 2026-04-24 | 100% |
| url | hxxps://185[.]56[.]45[.]79/ | botnet_cc | 2026-04-24 | 100% |
| url | hxxps://178[.]105[.]3[.]9/ | botnet_cc | 2026-04-24 | 100% |
| url | hxxps://178[.]105[.]15[.]180/ | botnet_cc | 2026-04-24 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Vidar
let malicious_ips = dynamic(["178.104.213.40", "185.56.45.50", "195.201.253.58", "185.56.45.79", "178.105.3.9", "178.105.15.180"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["178.104.213.40", "185.56.45.50", "195.201.253.58", "185.56.45.79", "178.105.3.9", "178.105.15.180"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://185.56.45.50/", "https://178.104.213.40/", "https://185.56.45.79/", "https://178.105.3.9/", "https://178.105.15.180/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system maintenance using PowerShell to clean temporary files
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%clean%'
Scenario: Admin task using Windows Task Scheduler to run a database backup
Filter/Exclusion: process.name != "schtasks.exe" OR process.args NOT LIKE '/RU SYSTEM'
Scenario: Use of LogParser to analyze IIS logs for performance monitoring
Filter/Exclusion: process.name != "logparser.exe" OR process.args NOT LIKE '/iislog'
Scenario: Security tool OSSEC performing log analysis and alerting on suspicious activity
Filter/Exclusion: process.name != "ossec.exe" OR process.args NOT LIKE '/log'
Scenario: IT team using PowerShell to deploy patches via Group Policy
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE 'GroupPolicy'