The ThreatFox: ValleyRAT IOCs rule detects potential command and control communications associated with the ValleyRAT malware, which is known for exfiltrating sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity before significant data loss occurs.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 5 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 47[.]243[.]155[.]184:771 | botnet_cc | 2026-06-20 | 75% |
| url | hxxp://154[.]91[.]75[.]105/getinstall64 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 47[.]243[.]155[.]184:770 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 47[.]86[.]32[.]238:10087 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 64[.]81[.]30[.]35:6666 | botnet_cc | 2026-06-20 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["47.86.32.238", "64.81.30.35", "47.243.155.184"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.86.32.238", "64.81.30.35", "47.243.155.184"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - ValleyRAT
let malicious_urls = dynamic(["http://154.91.75.105/getinstall64"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe
Description: A system administrator schedules a routine maintenance task using schtasks.exe, which is flagged due to its association with the schtasks.exe IOC in the ValleyRAT rule.
Filter/Exclusion: Check for the presence of schtasks.exe in the command line with a known legitimate task name (e.g., WeeklyDiskCleanup), and ensure the task is owned by a trusted user (e.g., Administrator or System).
Scenario: Use of PowerShell.exe for administrative scripting
Description: A system administrator runs a PowerShell script to configure system settings or deploy software, which is flagged due to the presence of PowerShell.exe in the IOC list.
Filter/Exclusion: Filter out events where PowerShell.exe is executed with a known legitimate script path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) and check for the presence of trusted script signatures or execution policies.
Scenario: Legitimate use of certutil.exe for certificate management
Description: An IT administrator uses certutil.exe to manage or import certificates, which is falsely flagged by the ValleyRAT detection rule.
Filter/Exclusion: Exclude events where certutil.exe is used with command-line arguments related to certificate management (e.g., -addstore, -viewstore) and ensure the process is initiated by a trusted user or service account.
Scenario: Use of taskkill.exe to terminate a legitimate process
Description: A user or administrator uses taskkill.exe to end a non-malicious process, which is flagged due to the presence of taskkill.exe in the IOC list.
*Filter/