The ThreatFox: VShell IOCs rule detects the establishment of encrypted, persistent communication by VShell malware with command-and-control servers, indicating potential long-term adversary presence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging encrypted C2 channels.
IOC Summary
Malware Family: VShell Total IOCs: 11 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 122[.]10[.]24[.]112:808 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 103[.]217[.]197[.]174:8084 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 165[.]154[.]205[.]34:80 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 101[.]96[.]216[.]248:8084 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 101[.]35[.]218[.]150:16231 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 39[.]106[.]172[.]105:6379 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 104[.]168[.]100[.]26:61022 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 113[.]31[.]104[.]220:18084 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 122[.]10[.]24[.]92:808 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 122[.]10[.]5[.]218:808 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 166[.]88[.]209[.]196:8800 | botnet_cc | 2026-05-28 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["122.10.24.112", "103.217.197.174", "104.168.100.26", "101.96.216.248", "122.10.5.218", "39.106.172.105", "165.154.205.34", "113.31.104.220", "101.35.218.150", "166.88.209.196", "122.10.24.92"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["122.10.24.112", "103.217.197.174", "104.168.100.26", "101.96.216.248", "122.10.5.218", "39.106.172.105", "165.154.205.34", "113.31.104.220", "101.35.218.150", "166.88.209.196", "122.10.24.92"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Monitoring Tool Communication
Description: A system monitoring tool like Splunk or SolarWinds communicates with its cloud-based command-and-control servers using encrypted channels.
Filter/Exclusion: Exclude traffic to known legitimate C2 domains associated with monitoring tools (e.g., *.splunk.com, *.solarwinds.com).
Scenario: Scheduled Job for Log Collection
Description: A scheduled job using PowerShell or Python scripts runs to collect logs from remote servers and uploads them to a centralized log management system (e.g., ELK Stack or Graylog).
Filter/Exclusion: Exclude traffic to internal log management servers (e.g., logs.internal.corp, *.graylog.org) and filter by known legitimate scripts or job names.
Scenario: Admin Task for Patch Management
Description: An admin uses WSUS (Windows Server Update Services) or Ansible to push updates to remote systems, which may involve encrypted communication with a central patch management server.
Filter/Exclusion: Exclude traffic to known WSUS or Ansible servers (e.g., wsus.corp, *.ansible.com) and filter by admin user accounts or specific update-related payloads.
Scenario: Secure Remote Access via SSH Tunnel
Description: An admin sets up an SSH tunnel to securely access a remote database or internal service, which may involve encrypted traffic to a bastion host or jump server.
Filter/Exclusion: Exclude traffic to known bastion hosts (e.g., bastion.internal, *.sshproxy.org) and filter by SSH-related traffic patterns (e.g., port 22, known SSH keys).
Scenario: Cloud Service Integration with On-Premises Systems
Description: A cloud service