The ThreatFox: ValleyRAT IOCs rule detects potential command and control communication associated with the ValleyRAT malware, which is known for exfiltrating sensitive data and establishing persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or system compromise.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 47[.]84[.]32[.]184:8888 | botnet_cc | 2026-05-05 | 75% |
| ip:port | 47[.]84[.]32[.]184:6666 | botnet_cc | 2026-05-05 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["47.84.32.184"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.84.32.184"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using Chocolatey
Description: A system administrator uses Chocolatey to install a legitimate package that matches one of the IOCs associated with ValleyRAT.
Filter/Exclusion: Check for process.name == "choco.exe" or command_line contains "choco install" in the event log.
Scenario: Scheduled backup job using Veeam
Description: A scheduled backup job initiated by Veeam may generate network traffic that matches an IOC linked to ValleyRAT.
Filter/Exclusion: Filter events where process.name == "veeam.exe" or process.parent.name == "schtasks.exe".
Scenario: Admin task using PowerShell for log management
Description: An administrator uses PowerShell to perform log rotation or cleanup, which may involve scripts or tools that match ValleyRAT IOCs.
Filter/Exclusion: Filter events where process.name == "powershell.exe" and command_line contains "logrotate" or "Get-EventLog".
Scenario: Legitimate remote desktop session using RDP
Description: A remote desktop session initiated by a legitimate user may involve network connections that match ValleyRAT IOCs.
Filter/Exclusion: Filter events where process.name == "mstsc.exe" or process.parent.name == "explorer.exe".
Scenario: Software deployment using SCCM
Description: A Software Center or Configuration Manager (SCCM) deployment may involve network activity that matches ValleyRAT IOCs.
Filter/Exclusion: Filter events where process.name == "ccmexec.exe" or process.parent.name == "svchost.exe" and command_line contains "ccmsetup".