The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for lateral movement and persistence within networks. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause widespread damage.
IOC Summary
Malware Family: VShell Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 204[.]194[.]54[.]54:80 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 124[.]222[.]69[.]132:8085 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 120[.]55[.]169[.]194:10005 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 153[.]0[.]197[.]228:8084 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 47[.]250[.]190[.]129:8083 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 47[.]97[.]183[.]52:3306 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 58[.]87[.]99[.]193:1234 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 38[.]190[.]198[.]37:8084 | botnet_cc | 2026-06-13 | 100% |
| ip:port | 103[.]47[.]83[.]115:10001 | botnet_cc | 2026-06-13 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["103.47.83.115", "120.55.169.194", "38.190.198.37", "124.222.69.132", "58.87.99.193", "47.250.190.129", "47.97.183.52", "153.0.197.228", "204.194.54.54"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["103.47.83.115", "120.55.169.194", "38.190.198.37", "124.222.69.132", "58.87.99.193", "47.250.190.129", "47.97.183.52", "153.0.197.228", "204.194.54.54"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that interacts with system files or network resources, triggering the VShell IOC detection.
Filter/Exclusion: Exclude processes associated with schtasks.exe or tasks with names containing “maintenance” or “system_cleanup”.
Scenario: Admin Performing Log File Analysis
Description: An administrator is manually reviewing log files using tools like logparser.exe or PowerShell scripts, which may access similar file paths or network endpoints as VShell.
Filter/Exclusion: Exclude processes with logparser.exe, powershell.exe (with command-line arguments indicating log analysis), or users with admin privileges performing log reviews.
Scenario: Network Monitoring Tool Generating Alerts
Description: A network monitoring tool like Wireshark or tcpdump is capturing traffic that matches the VShell IOC patterns due to legitimate network activity.
Filter/Exclusion: Exclude traffic from wireshark.exe, tcpdump.exe, or processes running under the network monitoring service account.
Scenario: Software Update or Patch Deployment
Description: A patching tool like Microsoft Update or WSUS is deploying updates, which may involve downloading files or connecting to known endpoints that match VShell IOCs.
Filter/Exclusion: Exclude processes related to wusa.exe, wsus, or microsoft update services, and filter by known update servers.
Scenario: Database Backup or Restore Job
Description: A database backup tool like SQL Server Backup or mysqldump is performing a backup, which may involve accessing network shares or temporary files that match VShell IOCs.
Filter/Exclusion: Exclude processes associated with sqlbackup.exe, mysqldump, or tasks with