ValleyRAT is leveraging these IOCs to establish persistence and exfiltrate data within the network. SOC teams should proactively hunt for this activity to identify and mitigate potential long-term compromise in their Azure Sentinel environment.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 108[.]187[.]4[.]141:558 | botnet_cc | 2026-04-20 | 75% |
| ip:port | 108[.]187[.]4[.]141:557 | botnet_cc | 2026-04-20 | 100% |
| ip:port | 202[.]95[.]8[.]221:443 | botnet_cc | 2026-04-20 | 100% |
| ip:port | 134[.]122[.]203[.]197:443 | botnet_cc | 2026-04-20 | 100% |
| ip:port | 57[.]158[.]24[.]51:443 | botnet_cc | 2026-04-20 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["57.158.24.51", "108.187.4.141", "202.95.8.221", "134.122.203.197"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["57.158.24.51", "108.187.4.141", "202.95.8.221", "134.122.203.197"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe
Description: A scheduled task is created using schtasks.exe to run a maintenance script, which coincidentally matches one of the IOCs associated with ValleyRAT.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with a known legitimate command line or script path, e.g., schtasks.exe /create /tn "Weekly Backup" /tr "C:\scripts\backup.bat".
Scenario: Admin using netsh to configure firewall rules
Description: A system administrator is using netsh to configure firewall rules, which may include commands that match ValleyRAT IOC patterns.
Filter/Exclusion: Exclude processes with netsh.exe and command lines related to firewall configuration, e.g., netsh advfirewall firewall add rule name="Allow HTTP" dir=in action=allow protocol=TCP localport=80.
Scenario: Legitimate use of certutil for certificate management
Description: A system administrator is using certutil to import or export certificates, which may trigger an IOC related to ValleyRAT due to similar command structures.
Filter/Exclusion: Exclude processes with certutil.exe and command lines involving certificate operations, e.g., certutil -addstore -user TrustedPublisher certificate.cer.
Scenario: Software update using msiexec.exe
Description: A legitimate software update is being installed via msiexec.exe, which may have a file name or command line that matches ValleyRAT IOCs.
Filter/Exclusion: Exclude processes initiated by msiexec.exe with known update or installation command lines, e.g., msiexec.exe /i "C:\updates\software_update.msi".