The ThreatFox: ValleyRAT IOCs rule detects potential command and control communication associated with the ValleyRAT malware, which is known for exfiltrating sensitive data and establishing persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or system compromise.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]160[.]193[.]90:6666 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 18[.]162[.]74[.]188:112 | botnet_cc | 2026-06-11 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["43.160.193.90", "18.162.74.188"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.160.193.90", "18.162.74.188"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe
Description: A system administrator schedules a legitimate maintenance task using schtasks.exe, which may trigger the detection due to its presence.
Filter/Exclusion: Check for schtasks.exe with command-line arguments containing /create and a known legitimate task name (e.g., Windows Defender Maintenance).
Scenario: Admin using PowerShell for script execution
Description: An administrator runs a PowerShell script to automate routine tasks, which may include IOCs associated with ValleyRAT due to similar command-line structures.
Filter/Exclusion: Filter events where the process is powershell.exe and the command line includes -File or -Command with a known internal script path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Legitimate software update using msiexec.exe
Description: A software update process using msiexec.exe may trigger the rule if the update package contains similar IOCs as ValleyRAT.
Filter/Exclusion: Exclude events where the process is msiexec.exe and the command line includes /i followed by a known internal update package path (e.g., C:\Windows\Temp\update.msi).
Scenario: System backup using wbadmin.exe
Description: A system backup initiated via wbadmin.exe may trigger the rule if the backup process includes files or commands that match ValleyRAT IOCs.
Filter/Exclusion: Filter for wbadmin.exe with command-line arguments containing /backup and a known backup destination path (e.g., C:\Backup\).
Scenario: Legitimate log collection using logman.exe