The ThreatFox: ValleyRAT IOCs rule detects potential command and control communication associated with the ValleyRAT malware, which is known for exfiltrating sensitive data and establishing persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or system compromise.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 27[.]124[.]45[.]118:3391 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 27[.]124[.]45[.]97:3390 | botnet_cc | 2026-05-25 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["27.124.45.97", "27.124.45.118"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["27.124.45.97", "27.124.45.118"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe to perform system maintenance, such as disk cleanup or log rotation, may trigger the rule if the task name or command line matches known ValleyRAT IOCs.
Filter/Exclusion: Check for schtasks.exe in the command line and exclude tasks with known maintenance names (e.g., DiskCleanup, LogRotation).
Scenario: Admin PowerShell Script Execution
Description: A system administrator may run a PowerShell script using powershell.exe to automate configuration changes or patching, which could include commands or files that match ValleyRAT IOCs.
Filter/Exclusion: Filter by powershell.exe and check for known admin scripts or paths (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Log File Analysis Tool Usage
Description: A security tool like logparser.exe or eventvwr.exe may be used to analyze log files, and its command-line arguments or output files could be flagged as ValleyRAT IOCs.
Filter/Exclusion: Exclude processes related to log analysis tools and filter by known log file paths (e.g., C:\Windows\System32\LogFiles).
Scenario: Antivirus Quarantine File Access
Description: Antivirus software may access or quarantine files that match ValleyRAT IOCs during a scan, leading to false positives.
Filter/Exclusion: Exclude processes associated with antivirus tools (e.g., msseces.exe, avgnt.exe) and check for quarantine directories.
Scenario: Database Backup Job Execution
Description: A database backup job using sqlcmd.exe or mysqldump.exe may generate files or