The ThreatFox: ValleyRAT IOCs rule detects potential adversary activity associated with the ValleyRAT malware, which is known for establishing persistence and exfiltrating data. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 192[.]238[.]184[.]153:558 | botnet_cc | 2026-04-24 | 75% |
| ip:port | 192[.]238[.]184[.]153:557 | botnet_cc | 2026-04-24 | 100% |
| ip:port | 223[.]26[.]62[.]116:7880 | botnet_cc | 2026-04-24 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["223.26.62.116", "192.238.184.153"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["223.26.62.116", "192.238.184.153"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe
Description: A legitimate system maintenance task scheduled via schtasks.exe may trigger the rule if the task name or command line matches IOC patterns.
Filter/Exclusion: Check for schtasks.exe in the process name and ensure the command line includes valid task scheduling syntax (e.g., /create with valid parameters).
Scenario: Admin using PowerShell to manage services
Description: An administrator may use PowerShell to start, stop, or configure services, which could resemble malicious activity if the command line includes terms associated with ValleyRAT.
Filter/Exclusion: Filter events where the process is powershell.exe and the command line includes service management commands like Start-Service, Stop-Service, or Set-Service.
Scenario: Legitimate use of taskkill.exe to terminate processes
Description: A system administrator might use taskkill.exe to terminate unresponsive or malicious processes, which could match IOC patterns if the process name is similar to known malware.
Filter/Exclusion: Exclude events where the process is taskkill.exe and the target process is a known legitimate service or application.
Scenario: Use of netsh for network configuration
Description: Network administrators may use netsh to configure firewall rules or network interfaces, which could trigger the rule if the command line includes terms resembling malicious activity.
Filter/Exclusion: Filter events where the process is netsh.exe and the command line includes valid network configuration commands like add, delete, or set.
Scenario: Legitimate use of wmic for system monitoring
Description: System administrators may use wmic to gather system information or monitor processes, which could be flagged if the command