The hunt hypothesis detects potential Vidar malware activity through suspicious network connections and file artifacts associated with credential theft and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats targeting financial institutions.
IOC Summary
Malware Family: Vidar Total IOCs: 9 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | gin.websitearaxa.com | botnet_cc | 2026-04-20 | 100% |
| url | hxxps://gin.websitearaxa.com/ | botnet_cc | 2026-04-20 | 100% |
| url | hxxps://ts.bhaaratkeeshakti.vip/fwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsda/uploads/EFewefwewFEW342234423234feWEEFWWefewefweffewwefEWF.php?file=333.exe | payload_delivery | 2026-04-20 | 75% |
| url | hxxps://radiorunacunapac.com/ | payload_delivery | 2026-04-20 | 75% |
| url | hxxps://blessstav.cz/ | payload_delivery | 2026-04-20 | 75% |
| domain | scd.aasscc.how | botnet_cc | 2026-04-20 | 75% |
| url | hxxps://scd.aasscc.how/ | botnet_cc | 2026-04-20 | 75% |
| domain | scd.cebolinhaburger.com | botnet_cc | 2026-04-20 | 75% |
| url | hxxps://scd.cebolinhaburger.com/ | botnet_cc | 2026-04-20 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["gin.websitearaxa.com", "scd.aasscc.how", "scd.cebolinhaburger.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://gin.websitearaxa.com/", "https://ts.bhaaratkeeshakti.vip/fwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsda/uploads/EFewefwewFEW342234423234feWEEFWWefewefweffewwefEWF.php?file=333.exe", "https://radiorunacunapac.com/", "https://blessstav.cz/", "https://scd.aasscc.how/", "https://scd.cebolinhaburger.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance
Description: A system administrator schedules a PowerShell script using Task Scheduler to perform routine system cleanup or patching.
Filter/Exclusion: Exclude processes initiated by Task Scheduler or filter based on the presence of known legitimate PowerShell scripts in the C:\Windows\System32 directory.
Scenario: Admin using Cobalt Strike for red team exercise
Description: A red team member uses Cobalt Strike to simulate a breach, including the use of Mimikatz to extract credentials as part of a controlled security test.
Filter/Exclusion: Exclude processes originating from known red team tools (e.g., Cobalt Strike, Mimikatz) or filter based on the presence of a known red team IP or domain in the environment.
Scenario: Automated backup process using VSS (Volume Shadow Copy Service)
Description: A backup tool like Veeam or Acronis uses VSS to create snapshots of the system, which may involve memory or disk access that could trigger the rule.
Filter/Exclusion: Exclude processes associated with backup tools (e.g., VssServer.exe, VeeamBackup.exe) or filter based on the presence of backup-related directories or files.
Scenario: Legitimate use of PowerShell for log analysis
Description: A security analyst runs a PowerShell script to analyze logs for suspicious activity, which may involve querying system event logs or memory dumps.
Filter/Exclusion: Exclude processes initiated from known analyst tools (e.g., PowerShell.exe launched from Sysmon or LogParser) or filter based on the presence of a known analyst IP or user account.
Scenario: Admin using PsExec for remote management
Description: An administrator uses PsExec to remotely execute commands on a Windows machine, which may