The ThreatFox: ValleyRAT IOCs rule detects potential command and control communication associated with the ValleyRAT malware, which is known for exfiltrating sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or system compromise.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 2 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 103[.]73[.]161[.]238:6667 | botnet_cc | 2026-06-05 | 100% |
| url | hxxp://gxfsxs.cn:8880/getinstall64 | botnet_cc | 2026-06-05 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["103.73.161.238"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["103.73.161.238"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - ValleyRAT
let malicious_urls = dynamic(["http://gxfsxs.cn:8880/getinstall64"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe to run a maintenance script
Filter/Exclusion: Exclude processes where the command line includes schtasks.exe /create /tn or schtasks.exe /run with a known benign script path (e.g., C:\Windows\System32\schedtasks.bat)
Scenario: System update using wuauclt.exe to check for Windows updates
Filter/Exclusion: Exclude processes where the executable is wuauclt.exe and the command line includes /detectnow or /updatenow as part of a standard Windows Update process
Scenario: Admin task using taskmgr.exe to manually terminate a process
Filter/Exclusion: Exclude processes where the parent process is taskmgr.exe and the command line includes taskkill /pid with a known legitimate process ID
Scenario: Log collection using logman.exe to start a performance counter log
Filter/Exclusion: Exclude processes where the executable is logman.exe and the command line includes start with a log name matching a known enterprise log management tool (e.g., PerfLog1)
Scenario: Database backup using sqlcmd.exe with a scheduled SQL script
Filter/Exclusion: Exclude processes where the executable is sqlcmd.exe and the command line includes a known backup script path (e.g., C:\SQL_Backups\backup_script.sql) or a valid SQL Server instance name