The ThreatFox: ValleyRAT IOCs rule detects potential command and control communication associated with the ValleyRAT malware, indicating an adversary may be exfiltrating data or maintaining persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 207[.]56[.]119[.]59:777 | botnet_cc | 2026-06-07 | 75% |
| ip:port | 207[.]56[.]119[.]59:888 | botnet_cc | 2026-06-07 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["207.56.119.59"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["207.56.119.59"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that imports a CSV file containing legitimate user data.
Filter/Exclusion: Exclude PowerShell scripts that use Import-Csv with file paths in known system directories (e.g., C:\Windows\System32\, C:\Program Files\).
Scenario: A database administrator is executing a SQL Server Agent job that connects to a remote database using a valid connection string.
Filter/Exclusion: Exclude SQL Server Agent jobs that use known valid connection strings and are scheduled during normal business hours.
Scenario: A DevOps engineer is deploying a Docker container that includes a base image with a known malicious checksum (e.g., from a compromised registry).
Filter/Exclusion: Exclude Docker images that are pulled from trusted registries (e.g., Docker Hub official images) and match known benign image tags.
Scenario: A system update task is running via Windows Task Scheduler that downloads and installs a legitimate patch from Microsoft’s update server.
Filter/Exclusion: Exclude tasks that are scheduled by the Windows Update service and use URLs matching Microsoft’s official update servers (e.g., https://download.microsoft.com).
Scenario: A security analyst is performing a manual forensic analysis using Volatility to examine memory dumps for signs of malware.
Filter/Exclusion: Exclude processes or memory artifacts associated with the Volatility tool and its associated analysis scripts.