The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage to the environment.
IOC Summary
Malware Family: VShell Total IOCs: 6 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 77[.]93[.]157[.]134:8081 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 70[.]39[.]203[.]7:8085 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 8[.]217[.]179[.]11:28091 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 103[.]51[.]147[.]252:80 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 154[.]88[.]97[.]37:8884 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 39[.]96[.]6[.]91:8084 | botnet_cc | 2026-06-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["77.93.157.134", "154.88.97.37", "39.96.6.91", "8.217.179.11", "70.39.203.7", "103.51.147.252"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["77.93.157.134", "154.88.97.37", "39.96.6.91", "8.217.179.11", "70.39.203.7", "103.51.147.252"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a system maintenance routine, such as log rotation or configuration backup.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known maintenance schedule.
Scenario: Admin Access via VShell for Remote Management
Description: An administrator uses VShell to securely access a remote server for troubleshooting or configuration changes.
Filter/Exclusion: Exclude connections originating from known admin IPs or users with elevated privileges (e.g., DOMAIN\Administrator).
Scenario: VShell Used for Secure File Transfer
Description: A legitimate file transfer occurs using VShell as part of a secure data exchange between internal systems.
Filter/Exclusion: Exclude file transfers involving known internal file paths (e.g., C:\temp\, C:\shared\) or between internal IP ranges.
Scenario: VShell Integration with SIEM Tools
Description: VShell is used to send logs or alerts to a Security Information and Event Management (SIEM) system for centralized monitoring.
Filter/Exclusion: Exclude traffic to known SIEM servers (e.g., SIEM-Server-IP, SIEM-Server-FQDN) or processes initiated by SIEM integration tools.
Scenario: VShell Used for Patch Management
Description: VShell is used to deploy patches or updates to multiple servers as part of an automated patch management process.
Filter/Exclusion: Exclude processes initiated by patch management tools (e.g., SCCM, WSUS) or involving known patch directories (e.g., C:\Windows\Temp\).