The ThreatFox: ValleyRAT IOCs rule detects potential command and control activity associated with the ValleyRAT malware, which is known for exfiltrating sensitive data and establishing persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or system compromise.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 8 IOC Types: sha256_hash, md5_hash, domain, sha1_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | 9fb91bff7289b601bb0a7d91200fe770 | payload | 2026-06-17 | 95% |
| sha256_hash | 7e27deea413f5c390fd790423de9dc552a1e393187607485394044c4ddc85fdf | payload | 2026-06-17 | 95% |
| sha1_hash | c211776370bab8368f126d414eb2ea3d55ae7da8 | payload | 2026-06-17 | 95% |
| sha256_hash | 9ab135ec9d97c65caacdc2cd1ac166b7f491d8ad0635b3bd595a244ca6af9795 | payload | 2026-06-17 | 95% |
| sha1_hash | 6e2603b2cb7c1150b1d0d9f024c7283b4a749260 | payload | 2026-06-17 | 95% |
| md5_hash | bd2c666c8c598630a65ac6d481b96ee4 | payload | 2026-06-17 | 95% |
| ip:port | 134[.]122[.]155[.]147:23610 | botnet_cc | 2026-06-17 | 75% |
| domain | c[.]360ctct.com | botnet_cc | 2026-06-17 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["134.122.155.147"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["134.122.155.147"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ValleyRAT
let malicious_domains = dynamic(["c.360ctct.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - ValleyRAT
let malicious_hashes = dynamic(["9fb91bff7289b601bb0a7d91200fe770", "7e27deea413f5c390fd790423de9dc552a1e393187607485394044c4ddc85fdf", "c211776370bab8368f126d414eb2ea3d55ae7da8", "9ab135ec9d97c65caacdc2cd1ac166b7f491d8ad0635b3bd595a244ca6af9795", "6e2603b2cb7c1150b1d0d9f024c7283b4a749260", "bd2c666c8c598630a65ac6d481b96ee4"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job using Veeam Backup & Replication or Acronis True Image may trigger the rule due to similar file or network activity.
Filter/Exclusion: Exclude processes related to veeam.exe, acronis*.exe, or jobs with names containing “backup” or “snapshot”.
Scenario: Admin Task – Windows Task Scheduler Job
Description: A system administrator may run a legitimate task via Task Scheduler that uses similar command-line arguments or file paths as ValleyRAT.
Filter/Exclusion: Exclude tasks with Task Scheduler or schtasks.exe in the process tree, or filter by user account (e.g., SYSTEM or Administrator).
Scenario: Network Monitoring Tool Traffic
Description: A network monitoring tool like Wireshark or tcpdump may generate traffic that matches the IOC patterns used in the ValleyRAT detection.
Filter/Exclusion: Exclude traffic from wireshark.exe, tcpdump.exe, or filter by source/destination IP addresses associated with known monitoring tools.
Scenario: Software Update or Patching Process
Description: A legitimate software update process using Microsoft Update or WSUS may involve file hashes or network connections that match ValleyRAT IOCs.
Filter/Exclusion: Exclude processes related to wuauserv, svchost.exe (with wuauserv as the service name), or filter by update-related registry keys.
Scenario: Log Management Tool Data Collection
Description: A log management tool like Splunk or ELK Stack may generate logs or network traffic that resembles the behavior of ValleyRAT.
Filter/Exclusion: Exclude processes