The ThreatFox: ValleyRAT IOCs rule detects potential command and control communications associated with the ValleyRAT malware, which is known for exfiltrating sensitive data and establishing persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or system compromise.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 3 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | 1510cc532b57e79000e7ce51b86809582f11300e118d4769d256c31de753dbad | payload | 2026-06-26 | 95% |
| sha1_hash | 81611a9f9cd9e5eddba6b64105b11936faf5b843 | payload | 2026-06-26 | 95% |
| md5_hash | 61fd58a78e2bb56fe2a7e46a561cb79b | payload | 2026-06-26 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - ValleyRAT
let malicious_hashes = dynamic(["1510cc532b57e79000e7ce51b86809582f11300e118d4769d256c31de753dbad", "81611a9f9cd9e5eddba6b64105b11936faf5b843", "61fd58a78e2bb56fe2a7e46a561cb79b"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using schtasks.exe
Description: A system administrator schedules a legitimate maintenance task using schtasks.exe, which is flagged due to its association with the schtasks.exe IOC.
Filter/Exclusion: Exclude processes where the command line includes -create or -delete with known legitimate task names (e.g., DailyBackup).
Scenario: Admin Task Using taskmgr.exe
Description: A system administrator uses taskmgr.exe to manage running processes, which is mistakenly flagged as part of ValleyRAT IOCs.
Filter/Exclusion: Exclude processes initiated from the local administrator account or with a command line containing processes or startup.
Scenario: Antivirus Scan Using msseces.exe
Description: Microsoft Security Essentials (now deprecated) uses msseces.exe for scanning, which may be flagged as an IOC related to ValleyRAT.
Filter/Exclusion: Exclude processes that are child processes of svchost.exe and have a parent process name like msseces.exe or msse.exe.
Scenario: PowerShell Script for System Monitoring
Description: A PowerShell script running under powershell.exe is used for system monitoring and is mistakenly flagged due to the presence of powershell.exe in the IOC list.
Filter/Exclusion: Exclude processes where the command line includes -Command or -File with known legitimate scripts (e.g., C:\Windows\System32\logman.ps1).
Scenario: Log Collection Using logman.exe
Description: A system administrator uses logman.exe to collect system logs, which is flagged due to its association with ValleyRAT IOCs.
*Filter/Exclusion