The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, leveraging known indicators of compromise to identify malicious network traffic or file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: Vidar Total IOCs: 6 IOC Types: ip:port, url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 185[.]56[.]45[.]63:443 | botnet_cc | 2026-04-21 | 100% |
| url | hxxps://185[.]56[.]45[.]63/ | botnet_cc | 2026-04-21 | 100% |
| domain | div.aasscc.how | botnet_cc | 2026-04-20 | 75% |
| url | hxxps://div.aasscc.how/ | botnet_cc | 2026-04-20 | 75% |
| domain | div.cebolinhaburger.com | botnet_cc | 2026-04-20 | 75% |
| url | hxxps://div.cebolinhaburger.com/ | botnet_cc | 2026-04-20 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Vidar
let malicious_ips = dynamic(["185.56.45.63"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["185.56.45.63"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["div.aasscc.how", "div.cebolinhaburger.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://185.56.45.63/", "https://div.aasscc.how/", "https://div.cebolinhaburger.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the Vidar IOCs (e.g., a PowerShell script used for system cleanup).
Filter/Exclusion: process.name != "schtasks.exe" or process.name != "powershell.exe" (if the task is known to use a specific tool).
Scenario: Admin Performing Log Collection via PowerShell
Description: An admin uses PowerShell to collect logs, which may include commands or paths that match Vidar IOCs.
Filter/Exclusion: process.name != "powershell.exe" or process.user != "admin_account" (if the admin account is known).
Scenario: Legitimate Use of Windows Task Scheduler
Description: A legitimate job scheduled via Task Scheduler uses a file or command that matches one of the Vidar IOCs.
Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "taskhost.exe" (to exclude scheduled tasks).
Scenario: Software Update or Patching Process
Description: A patching tool or update manager (e.g., Microsoft Update, SCCM) uses a script or executable that matches Vidar IOCs.
Filter/Exclusion: process.name != "wusa.exe" or process.name != "msiexec.exe" (if the tool is known to use these processes).
Scenario: Use of a Legitimate Security Tool for Threat Hunting
Description: A security analyst uses a tool like OSQuery or Microsoft Defender ATP to query system state, which may include commands or paths that match Vidar IOCs.
Filter/Exclusion: process.name != "osqueryi.exe" or process.name != "mpcmdrun.exe" (if the tool is