ValleyRAT is being used to establish remote access and exfiltrate data through compromised endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 23[.]248[.]224[.]98:13380 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 47[.]84[.]185[.]69:6666 | botnet_cc | 2026-05-30 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["23.248.224.98", "47.84.185.69"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["23.248.224.98", "47.84.185.69"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled task runs a PowerShell script to perform routine system updates or patching.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "schtasks.exe"
Scenario: Admin using Process Explorer to monitor processes
Description: A system administrator uses Process Explorer (Sysinternals tool) to investigate suspicious activity.
Filter/Exclusion: process.name != "procexp.exe" OR process.parent.name != "explorer.exe"
Scenario: Automated backup script using robocopy
Description: A backup job uses robocopy to copy files from one location to another.
Filter/Exclusion: process.name != "robocopy.exe" OR process.parent.name != "schtasks.exe"
Scenario: User running a legitimate remote access tool for IT support
Description: A user connects to a remote desktop session using a legitimate RDP client.
Filter/Exclusion: process.name != "mstsc.exe" OR process.parent.name != "explorer.exe"
Scenario: Log collection using Splunk Forwarder
Description: A Splunk Universal Forwarder is configured to collect and send logs to a central server.
Filter/Exclusion: process.name != "splunkforwarder.exe" OR process.parent.name != "services.exe"