The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that may have evaded initial detection mechanisms.
IOC Summary
Malware Family: VShell Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 104[.]233[.]154[.]139:888 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 1[.]94[.]184[.]17:60002 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 106[.]13[.]201[.]122:8084 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 110[.]42[.]61[.]44:8888 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 115[.]190[.]234[.]72:8085 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 124[.]220[.]32[.]176:8084 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 117[.]50[.]184[.]253:50050 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 115[.]191[.]19[.]20:65511 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 149[.]104[.]28[.]77:80 | botnet_cc | 2026-06-10 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["110.42.61.44", "115.190.234.72", "124.220.32.176", "104.233.154.139", "1.94.184.17", "106.13.201.122", "115.191.19.20", "149.104.28.77", "117.50.184.253"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["110.42.61.44", "115.190.234.72", "124.220.32.176", "104.233.154.139", "1.94.184.17", "106.13.201.122", "115.191.19.20", "149.104.28.77", "117.50.184.253"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a system maintenance routine, such as log rotation or backup.
Filter/Exclusion: Exclude processes initiated by the schtasks service or tasks with a known maintenance name (e.g., BackupJob, LogRotation).
Scenario: Admin User Performing Remote Management
Description: An administrator uses vshell to remotely manage a server via a legitimate remote management tool like psexec or winrm.
Filter/Exclusion: Exclude processes initiated by admin users with elevated privileges (e.g., Administrator, SYSTEM) and associated with known remote management tools.
Scenario: Log Collection via VShell
Description: A log collection agent (e.g., Splunk, ELK) uses vshell to transfer logs from remote servers to a central logging server.
Filter/Exclusion: Exclude processes that originate from log collection tools or have destination IPs matching the internal logging server.
Scenario: Software Update via VShell
Description: A software update process (e.g., WSUS, SCCM) uses vshell to distribute patches or updates across the network.
Filter/Exclusion: Exclude processes associated with known update management tools or with source IPs from the internal patch management server.
Scenario: Database Backup via VShell
Description: A database backup job (e.g., SQL Server Backup, MySQL Dump) uses vshell to transfer backup files to a secure storage location.
Filter/Exclusion: Exclude processes initiated by database services or with filenames matching known backup patterns (e.g., backup_*.sql, db_dump_*.tar).