The ThreatFox: ValleyRAT IOCs rule detects potential command and control communication associated with the ValleyRAT malware, which is known for exfiltrating sensitive data and establishing persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or system compromise.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 8 IOC Types: md5_hash, sha1_hash, sha256_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | 4f769db571821779a629ec34253e268c3ad78208 | payload | 2026-06-14 | 95% |
| md5_hash | 36b013c5e39acbe752709d0b2fc01006 | payload | 2026-06-14 | 95% |
| sha256_hash | b48c97d1dadc4cb7e0c3303d556a1217cccdd8839fe739d71a7c5f977b4810bd | payload | 2026-06-14 | 95% |
| sha256_hash | c1d77b03a2d57f4ef9670a7569a77b662196cb10c74e303a04626afc49fcfb0d | payload | 2026-06-14 | 95% |
| sha1_hash | 1f61163784b16b391bff874349cf5fe115b2b01d | payload | 2026-06-14 | 95% |
| md5_hash | 6382ad4c07f225406139f7ab90f2ccaf | payload | 2026-06-14 | 95% |
| ip:port | 38[.]46[.]13[.]178:65301 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 38[.]46[.]13[.]179:65302 | botnet_cc | 2026-06-14 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["38.46.13.179", "38.46.13.178"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["38.46.13.179", "38.46.13.178"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - ValleyRAT
let malicious_hashes = dynamic(["4f769db571821779a629ec34253e268c3ad78208", "36b013c5e39acbe752709d0b2fc01006", "b48c97d1dadc4cb7e0c3303d556a1217cccdd8839fe739d71a7c5f977b4810bd", "c1d77b03a2d57f4ef9670a7569a77b662196cb10c74e303a04626afc49fcfb0d", "1f61163784b16b391bff874349cf5fe115b2b01d", "6382ad4c07f225406139f7ab90f2ccaf"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe to run a system maintenance script
Filter/Exclusion: Check for schtasks.exe with command line containing \\?\C:\Windows\System32\ or msiexec.exe in the command line.
Scenario: Admin using PowerShell.exe to run a script for log file rotation or backup
Filter/Exclusion: Filter on PowerShell.exe with command line containing .\rotate-logs.ps1 or .\backup-script.ps1 in the command line.
Scenario: System update using msiexec.exe to install a legitimate Windows update
Filter/Exclusion: Check for msiexec.exe with command line containing /i and a known Windows update package path (e.g., C:\Windows\Temp\update.msi).
Scenario: IT staff using taskkill.exe to terminate a non-malicious process during maintenance
Filter/Exclusion: Filter on taskkill.exe with process names like svchost.exe, explorer.exe, or wsmprovhost.exe that are known to be part of normal system operations.
Scenario: User running a legitimate third-party tool like 7-Zip.exe or WinRAR.exe for file extraction
Filter/Exclusion: Check for 7-Zip.exe or WinRAR.exe with command line containing extract or x and a known safe file path (e.g., C:\Users\Public\Documents\).