The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, leveraging known indicators of compromise to identify suspicious network traffic or system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: Vidar Total IOCs: 9 IOC Types: md5_hash, sha1_hash, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | 64e9b14f81a21120b831e19ef94f902e | payload | 2026-06-20 | 95% |
| sha256_hash | d0da8e7c8c47561a8b9f78b38e31e02964dcf4ae1d10cc01a99e409d20ad73ef | payload | 2026-06-20 | 95% |
| sha1_hash | 1f8e8faddb98e2e6cd723c4c1854000281ef3913 | payload | 2026-06-20 | 95% |
| sha256_hash | 2af09010211b22731abbc733c648be84f75ac947f919ac895374dd28719c32f6 | payload | 2026-06-20 | 95% |
| sha1_hash | 85af6e8ac64a65f9f163199e6cc85ee5409dd74f | payload | 2026-06-20 | 95% |
| md5_hash | 4a9c90e7662bc3876f4ef627816c6eff | payload | 2026-06-20 | 95% |
| md5_hash | 8820cc652b0c3ed6dfff7c4032f646b1 | payload | 2026-06-20 | 95% |
| sha256_hash | 0dcbe5afb17831300599e9cdc3c8a655c1380c86a1562db04fec664677a50e20 | payload | 2026-06-20 | 95% |
| sha1_hash | bf382fab74d8255350a0058f5dbec9a0742f81a5 | payload | 2026-06-20 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Vidar
let malicious_hashes = dynamic(["64e9b14f81a21120b831e19ef94f902e", "d0da8e7c8c47561a8b9f78b38e31e02964dcf4ae1d10cc01a99e409d20ad73ef", "1f8e8faddb98e2e6cd723c4c1854000281ef3913", "2af09010211b22731abbc733c648be84f75ac947f919ac895374dd28719c32f6", "85af6e8ac64a65f9f163199e6cc85ee5409dd74f", "4a9c90e7662bc3876f4ef627816c6eff", "8820cc652b0c3ed6dfff7c4032f646b1", "0dcbe5afb17831300599e9cdc3c8a655c1380c86a1562db04fec664677a50e20", "bf382fab74d8255350a0058f5dbec9a0742f81a5"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe to run a maintenance script
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known legitimate script paths (e.g., C:\Windows\System32\Tasks\)
Scenario: System update using Microsoft Update (e.g., wuauclt.exe)
Filter/Exclusion: Exclude processes with wuauclt.exe or msiexec.exe associated with known Microsoft update packages
Scenario: Admin task using PowerShell to configure system settings (e.g., powershell.exe -Command)
Filter/Exclusion: Exclude PowerShell processes with command lines containing Set-ItemProperty, Get-ChildItem, or Invoke-Command with known valid registry paths
Scenario: Log file analysis using logparser.exe or eventvwr.exe
Filter/Exclusion: Exclude processes initiated by logparser.exe or eventvwr.exe with known log analysis scripts or queries
Scenario: Antivirus or endpoint protection tool performing a scan (e.g., msseces.exe, mpsvc.exe)
Filter/Exclusion: Exclude processes with known antivirus tool names and paths (e.g., C:\Program Files\Windows Defender\ or C:\Program Files\Kaspersky\)