The ThreatFox: ValleyRAT IOCs rule detects potential adversary activity associated with the ValleyRAT malware, which is known for establishing persistence and exfiltrating data. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 8[.]217[.]144[.]219:5678 | botnet_cc | 2026-06-03 | 75% |
| ip:port | 47[.]83[.]123[.]66:80 | botnet_cc | 2026-06-03 | 75% |
| ip:port | 8[.]217[.]144[.]219:5677 | botnet_cc | 2026-06-03 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["47.83.123.66", "8.217.144.219"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.83.123.66", "8.217.144.219"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using valleyrat.exe
Description: A system administrator schedules a legitimate maintenance task using a tool named valleyrat.exe (e.g., a custom script or third-party utility).
Filter/Exclusion: Check for process.parent_process_name containing “Task Scheduler” or “schtasks.exe”, and verify if the file path is within a known enterprise tool directory (e.g., C:\Tools\).
Scenario: Admin Using valleyrat.exe for Debugging
Description: A security analyst or admin uses valleyrat.exe (a legitimate debugging tool) to troubleshoot a system issue.
Filter/Exclusion: Filter by process.user to include only admin accounts, and check for process.command_line containing terms like “debug” or “diagnose”.
Scenario: False Positive from a Third-Party Software Update
Description: A third-party software update includes a file named valleyrat.exe as part of its installation package.
Filter/Exclusion: Check for file.path containing known enterprise software directories (e.g., C:\Program Files\ or C:\Windows\Temp\), and verify if the file is part of a signed update package.
Scenario: Legitimate File Access by a System Service
Description: A system service (e.g., Windows Update or Windows Defender) accesses a file named valleyrat.exe that is part of a legitimate enterprise application.
Filter/Exclusion: Filter by process.parent_process_name containing “svchost.exe” or the name of the service, and check for file.hash matching known enterprise files.
Scenario: False Positive from a Custom Script Named valleyrat.ps1
*