The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that may have evaded initial detection mechanisms.
IOC Summary
Malware Family: VShell Total IOCs: 8 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 38[.]76[.]201[.]144:8086 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 47[.]93[.]234[.]164:8084 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 89[.]125[.]244[.]117:80 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 208[.]87[.]203[.]34:50828 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 47[.]236[.]153[.]183:8888 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 43[.]156[.]111[.]183:9090 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 43[.]143[.]173[.]78:8084 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 47[.]95[.]239[.]240:8084 | botnet_cc | 2026-05-29 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["89.125.244.117", "47.236.153.183", "43.156.111.183", "208.87.203.34", "43.143.173.78", "38.76.201.144", "47.95.239.240", "47.93.234.164"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["89.125.244.117", "47.236.153.183", "43.156.111.183", "208.87.203.34", "43.143.173.78", "38.76.201.144", "47.95.239.240", "47.93.234.164"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a system maintenance routine (e.g., log rotation or configuration backup).
Filter/Exclusion: process.name != "vshell" OR process.parent.name == "schtasks.exe"
Scenario: Admin Using VShell for Secure File Transfer
Description: A system administrator uses VShell to securely transfer files between servers as part of routine operations.
Filter/Exclusion: process.user == "admin_user" OR process.command_line contains "secure_transfer"
Scenario: VShell Used for Remote Desktop Protocol (RDP) Tunneling
Description: VShell is configured to tunnel RDP traffic for remote access to internal systems.
Filter/Exclusion: process.command_line contains "tunnel" OR process.arg contains "rdp"
Scenario: VShell Used for Internal API Communication
Description: VShell is used internally to communicate between microservices or backend systems.
Filter/Exclusion: process.source_ip in internal_network_range OR process.destination_ip in internal_network_range
Scenario: VShell Used for Log Aggregation and Monitoring
Description: VShell is configured to collect and aggregate logs from multiple servers for centralized monitoring.
Filter/Exclusion: process.command_line contains "log_aggregation" OR process.arg contains "monitoring"