The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, leveraging known indicators of compromise to identify suspicious network traffic or system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: VShell Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 39[.]100[.]89[.]103:8084 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 8[.]135[.]58[.]72:8084 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 192[.]187[.]118[.]178:8084 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 124[.]220[.]94[.]87:80 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 107[.]150[.]25[.]65:2086 | botnet_cc | 2026-06-10 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["124.220.94.87", "107.150.25.65", "39.100.89.103", "8.135.58.72", "192.187.118.178"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["124.220.94.87", "107.150.25.65", "39.100.89.103", "8.135.58.72", "192.187.118.178"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a maintenance routine (e.g., log rotation or backup).
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "schtasks"
Scenario: Admin Using VShell for Remote Management
Description: An administrator uses VShell to securely access a remote server for troubleshooting or configuration changes.
Filter/Exclusion: process.user == "admin_account" or process.command_line contains "vshell -r"
Scenario: Log Analysis Tool Processing VShell Logs
Description: A log analysis tool (e.g., Splunk, ELK) is parsing VShell logs and triggering the rule due to log file access.
Filter/Exclusion: process.file_name contains "splunkd.exe" or process.file_name contains "logstash"
Scenario: Automated Deployment Script Using VShell
Description: A CI/CD pipeline (e.g., Jenkins, Azure DevOps) uses VShell to deploy configurations or scripts to remote servers.
Filter/Exclusion: process.command_line contains "jenkins.exe" or process.command_line contains "azure devops"
Scenario: Database Backup Using VShell
Description: A database backup tool (e.g., Oracle Data Pump, MySQL Backup) uses VShell to transfer backup files between servers.
Filter/Exclusion: process.file_name contains "oracle.exe" or process.file_name contains "mysqldump.exe"