The ThreatFox: VShell IOCs rule detects potential adversary activity linked to the VShell malware, which is associated with credential theft and lateral movement. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that could compromise sensitive systems and data.
IOC Summary
Malware Family: VShell Total IOCs: 20 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 8[.]218[.]116[.]41:58465 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 47[.]86[.]238[.]244:8084 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 47[.]116[.]27[.]92:6443 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 39[.]97[.]229[.]224:6667 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 42[.]193[.]15[.]237:8083 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 106[.]14[.]134[.]136:50022 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 112[.]121[.]176[.]91:80 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 121[.]127[.]232[.]229:8084 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 194[.]56[.]225[.]147:8084 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 204[.]194[.]51[.]23:80 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 112[.]121[.]176[.]94:80 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 112[.]121[.]176[.]90:80 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 111[.]228[.]26[.]18:8084 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 38[.]180[.]150[.]147:8086 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 198[.]23[.]196[.]131:8085 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 47[.]97[.]197[.]89:19999 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 43[.]138[.]194[.]156:9999 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 39[.]97[.]229[.]224:8889 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 106[.]75[.]231[.]213:8084 | botnet_cc | 2026-05-30 | 100% |
| ip:port | 111[.]228[.]1[.]212:80 | botnet_cc | 2026-05-30 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["111.228.26.18", "38.180.150.147", "47.116.27.92", "42.193.15.237", "112.121.176.90", "112.121.176.91", "112.121.176.94", "47.97.197.89", "121.127.232.229", "198.23.196.131", "106.75.231.213", "39.97.229.224", "47.86.238.244", "43.138.194.156", "8.218.116.41", "106.14.134.136", "194.56.225.147", "111.228.1.212", "204.194.51.23"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["111.228.26.18", "38.180.150.147", "47.116.27.92", "42.193.15.237", "112.121.176.90", "112.121.176.91", "112.121.176.94", "47.97.197.89", "121.127.232.229", "198.23.196.131", "106.75.231.213", "39.97.229.224", "47.86.238.244", "43.138.194.156", "8.218.116.41", "106.14.134.136", "194.56.225.147", "111.228.1.212", "204.194.51.23"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that accesses known VShell IOCs as part of system maintenance (e.g., log rotation, backup, or configuration updates).
Filter/Exclusion: process.parent_process_name != "Task Scheduler" or process.command_line contains "maintenance" or "backup"
Scenario: Admin Access to VShell Logs for Forensic Analysis
Description: A security admin or SOC analyst is reviewing VShell-related logs for incident response or forensic analysis.
Filter/Exclusion: user_account contains "admin" or "security" or "soc" or process.name contains "log_viewer" or "event_viewer"
Scenario: Integration with Threat Intelligence Platforms
Description: The enterprise uses a threat intelligence platform (e.g., CrowdStrike, Microsoft Defender) that pulls in VShell IOCs for enrichment, triggering the rule.
Filter/Exclusion: process.name contains "threatintel" or "ti" or "crowdstrike" or "microsoft defender"
Scenario: Legitimate Software Update or Patching Process
Description: A patching tool or update manager (e.g., SCCM, WSUS) accesses VShell IOCs as part of a routine software update.
Filter/Exclusion: process.name contains "sccm" or "wsus" or "patching" or "update"
Scenario: Network Monitoring Tool Analyzing VShell Traffic
Description: A network monitoring or SIEM tool (e.g., Splunk, QRadar) is analyzing traffic related to VShell for compliance or monitoring purposes.
Filter/Exclusion: process.name contains "splunk" or "qradar" or "siem" or "network monitoring"