The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, leveraging known indicators of compromise to identify malicious network traffic. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: VShell Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 36[.]138[.]84[.]183:8089 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 49[.]234[.]28[.]41:8086 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 64[.]90[.]16[.]91:8083 | botnet_cc | 2026-05-27 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["64.90.16.91", "49.234.28.41", "36.138.84.183"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["64.90.16.91", "49.234.28.41", "36.138.84.183"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using VShell
Description: A legitimate scheduled backup job uses VShell to transfer data between servers.
Filter/Exclusion: process.name != "vshell" OR process.parent.name == "task scheduler" OR file.path contains "backup"
Scenario: Admin Task to Transfer Configuration Files
Description: An administrator uses VShell to manually transfer configuration files between servers during routine maintenance.
Filter/Exclusion: process.name != "vshell" OR user.name == "admin" OR file.path contains "config"
Scenario: Log File Transfer Between Servers
Description: A log aggregation system uses VShell to transfer log files from multiple servers to a central logging server.
Filter/Exclusion: file.path contains "logs" OR process.name != "vshell" OR destination_ip in known_log_servers
Scenario: Remote Management via VShell
Description: A system administrator uses VShell to remotely manage a server, which is a legitimate use case.
Filter/Exclusion: user.name == "admin" OR process.parent.name == "ssh" OR process.name != "vshell"
Scenario: Automated Patch Deployment Using VShell
Description: A patch management tool uses VShell to push updates to multiple endpoints.
Filter/Exclusion: process.name != "vshell" OR file.path contains "patch" OR user.name == "patchmgr"