ValleyRAT is leveraging these IOCs to establish persistence and exfiltrate data within the network. SOC teams should proactively hunt for this activity to detect and mitigate a high-severity threat before it leads to data compromise or system control.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 7 IOC Types: md5_hash, ip:port, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | 4f769db571821779a629ec34253e268c3ad78208 | payload | 2026-06-14 | 95% |
| md5_hash | 36b013c5e39acbe752709d0b2fc01006 | payload | 2026-06-14 | 95% |
| sha256_hash | b48c97d1dadc4cb7e0c3303d556a1217cccdd8839fe739d71a7c5f977b4810bd | payload | 2026-06-14 | 95% |
| sha256_hash | c1d77b03a2d57f4ef9670a7569a77b662196cb10c74e303a04626afc49fcfb0d | payload | 2026-06-14 | 95% |
| sha1_hash | 1f61163784b16b391bff874349cf5fe115b2b01d | payload | 2026-06-14 | 95% |
| md5_hash | 6382ad4c07f225406139f7ab90f2ccaf | payload | 2026-06-14 | 95% |
| ip:port | 38[.]46[.]13[.]178:65301 | botnet_cc | 2026-06-14 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["38.46.13.178"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["38.46.13.178"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - ValleyRAT
let malicious_hashes = dynamic(["4f769db571821779a629ec34253e268c3ad78208", "36b013c5e39acbe752709d0b2fc01006", "b48c97d1dadc4cb7e0c3303d556a1217cccdd8839fe739d71a7c5f977b4810bd", "c1d77b03a2d57f4ef9670a7569a77b662196cb10c74e303a04626afc49fcfb0d", "1f61163784b16b391bff874349cf5fe115b2b01d", "6382ad4c07f225406139f7ab90f2ccaf"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe
Description: A legitimate scheduled task is configured to run a script or executable that matches one of the IOCs associated with ValleyRAT.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "schtasks.exe /create"
Scenario: System update or patching tool execution
Description: A system update or patching tool (e.g., WindowsUpdate.exe, msiexec.exe) is executing a package that matches an IOC from the ValleyRAT rule.
Filter/Exclusion: process.file_name contains "WindowsUpdate.exe" or process.file_name contains "msiexec.exe"
Scenario: Admin task using taskmgr.exe or tasklist.exe
Description: An administrator is using Task Manager or tasklist.exe to manage processes, which may trigger an IOC match due to process name similarity.
Filter/Exclusion: process.file_name contains "taskmgr.exe" or process.file_name contains "tasklist.exe"
Scenario: Legitimate software installation using msiexec.exe
Description: A legitimate software installation package is being executed via msiexec.exe, which may match an IOC due to similar command-line arguments.
Filter/Exclusion: process.file_name contains "msiexec.exe" and process.command_line contains "/i"
Scenario: Log file parsing or analysis tool execution
Description: A log analysis tool (e.g., logparser.exe, eventvwr.exe) is running and its execution path or command-line arguments match an IOC.
Filter/Exclusion: process.file_name contains "logparser.exe" or `process.file_name contains “eventvwr.exe