The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that may have evaded traditional detection mechanisms.
IOC Summary
Malware Family: VShell Total IOCs: 14 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 47[.]236[.]136[.]19:8811 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 47[.]108[.]62[.]225:58313 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 152[.]136[.]38[.]231:20004 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 154[.]88[.]96[.]41:8884 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 154[.]88[.]96[.]37:8884 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 154[.]88[.]96[.]60:8884 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 154[.]88[.]96[.]62:8884 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 154[.]88[.]96[.]61:8884 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 154[.]88[.]97[.]49:8884 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 45[.]87[.]53[.]6:8084 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 175[.]178[.]117[.]214:8083 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 154[.]88[.]96[.]42:8884 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 154[.]88[.]96[.]52:8884 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 154[.]88[.]96[.]48:8884 | botnet_cc | 2026-06-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["175.178.117.214", "154.88.96.61", "47.236.136.19", "154.88.96.60", "154.88.96.37", "154.88.96.42", "152.136.38.231", "47.108.62.225", "154.88.96.62", "45.87.53.6", "154.88.97.49", "154.88.96.52", "154.88.96.41", "154.88.96.48"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["175.178.117.214", "154.88.96.61", "47.236.136.19", "154.88.96.60", "154.88.96.37", "154.88.96.42", "152.136.38.231", "47.108.62.225", "154.88.96.62", "45.87.53.6", "154.88.97.49", "154.88.96.52", "154.88.96.41", "154.88.96.48"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that uses wget or curl to download a system update or patch from a trusted internal repository.
Filter/Exclusion: Exclude traffic originating from known internal update servers or filter based on src_ip matching internal IP ranges.
Scenario: Admin Task - File Integrity Monitoring (FIM) Check
Description: An admin uses a tool like Tripwire or OSSEC to scan for file changes, which may involve downloading or executing scripts from a trusted internal source.
Filter/Exclusion: Exclude processes initiated by known admin accounts or filter based on process.name matching FIM tool names.
Scenario: Log Collection via Fluentd or Graylog
Description: A log aggregation tool like Fluentd or Graylog is configured to collect logs from various hosts, which may involve using nc or ssh to transfer data.
Filter/Exclusion: Exclude connections to known log aggregation servers or filter based on dest_ip matching internal log server IP ranges.
Scenario: Software Update via Chocolatey or Scoop
Description: A system administrator uses Chocolatey or Scoop to install or update software, which may involve downloading packages from internal or public repositories.
Filter/Exclusion: Exclude processes initiated by the choco or scoop command-line tools or filter based on process.name matching these tools.
Scenario: Database Backup via rsync or scp
Description: A database backup job uses rsync or scp to transfer data between servers, which may trigger network activity resembling malicious IOCs.
Filter/Exclusion: Exclude traffic associated with known backup tools or filter based on process.name matching `rs