The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise critical systems.
IOC Summary
Malware Family: VShell Total IOCs: 12 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 60[.]205[.]129[.]61:30244 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 49[.]232[.]169[.]67:8084 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 49[.]232[.]169[.]67:8085 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 31[.]207[.]4[.]28:4444 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 1[.]13[.]158[.]52:8084 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 106[.]75[.]137[.]168:8080 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 47[.]99[.]176[.]249:10086 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 154[.]91[.]83[.]10:39003 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 110[.]42[.]232[.]120:8897 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 114[.]67[.]208[.]95:8888 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 150[.]158[.]23[.]58:9999 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 106[.]75[.]236[.]163:8080 | botnet_cc | 2026-06-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["31.207.4.28", "49.232.169.67", "106.75.137.168", "1.13.158.52", "154.91.83.10", "114.67.208.95", "106.75.236.163", "110.42.232.120", "47.99.176.249", "150.158.23.58", "60.205.129.61"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["31.207.4.28", "49.232.169.67", "106.75.137.168", "1.13.158.52", "154.91.83.10", "114.67.208.95", "106.75.236.163", "110.42.232.120", "47.99.176.249", "150.158.23.58", "60.205.129.61"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a system maintenance routine (e.g., log rotation or backup).
Filter/Exclusion: process.name != "vshell" OR process.parent_process_name != "schtasks"
Scenario: Admin Performing Remote Management via VShell
Description: An administrator uses VShell to securely transfer files or manage remote servers, which is a legitimate use case.
Filter/Exclusion: user.name == "admin" OR process.parent_process_name == "ssh"
Scenario: Log File Analysis Using VShell
Description: A security analyst uses VShell to transfer or analyze log files from a remote server as part of routine monitoring.
Filter/Exclusion: file.name contains "log" OR process.command_line contains "scp"
Scenario: Automated Backup Job Using VShell
Description: A backup job configured via a tool like rsync or scp uses VShell to transfer data between servers.
Filter/Exclusion: process.name contains "rsync" OR process.name contains "scp"
Scenario: Internal Tool for Internal Communication
Description: A company-specific internal tool or API uses VShell for secure internal communication between services.
Filter/Exclusion: process.name contains "internal_tool" OR process.parent_process_name contains "internal_service"