The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise critical systems.
IOC Summary
Malware Family: VShell Total IOCs: 12 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 219[.]136[.]209[.]179:19999 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 115[.]190[.]11[.]207:58084 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 151[.]243[.]109[.]77:8084 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 82[.]156[.]243[.]144:9999 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 45[.]195[.]8[.]170:2086 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 43[.]255[.]157[.]92:6443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 112[.]121[.]176[.]93:80 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 43[.]156[.]148[.]73:8084 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 39[.]106[.]32[.]160:8084 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 118[.]126[.]104[.]234:20001 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 152[.]136[.]232[.]240:8084 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 152[.]136[.]120[.]69:7777 | botnet_cc | 2026-06-01 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["151.243.109.77", "152.136.120.69", "43.156.148.73", "43.255.157.92", "115.190.11.207", "112.121.176.93", "82.156.243.144", "39.106.32.160", "219.136.209.179", "45.195.8.170", "152.136.232.240", "118.126.104.234"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["151.243.109.77", "152.136.120.69", "43.156.148.73", "43.255.157.92", "115.190.11.207", "112.121.176.93", "82.156.243.144", "39.106.32.160", "219.136.209.179", "45.195.8.170", "152.136.232.240", "118.126.104.234"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a system maintenance routine (e.g., log rotation or backup).
Filter/Exclusion: process.name != "vshell" OR process.parent.name == "schtasks.exe" OR file.path contains "System32" AND file.name != "vshell.exe"
Scenario: Admin Using VShell for Remote Access
Description: A system administrator uses VShell to securely access a remote server for troubleshooting or configuration.
Filter/Exclusion: user.account != "admin_account" OR process.parent.name == "taskmgr.exe" OR process.parent.name == "cmd.exe" AND process.parent.command_line contains "runas"
Scenario: Log Collection via VShell
Description: A log aggregation tool uses VShell to transfer logs from remote servers to a central logging server.
Filter/Exclusion: file.name contains "logcollector.exe" OR process.name contains "logcollector" OR destination.ip in known_log_servers
Scenario: Software Update via VShell
Description: A legitimate software update process uses VShell to transfer update packages to multiple endpoints.
Filter/Exclusion: file.name contains "update_agent.exe" OR process.name contains "update_service" OR file.path contains "SoftwareUpdate"
Scenario: Internal Network Monitoring Tool
Description: An internal network monitoring tool uses VShell to monitor traffic across the network.
Filter/Exclusion: process.name contains "network_monitor" OR file.name contains "netmon.exe" OR process.parent.name == "services.exe"