The ThreatFox: ValleyRAT IOCs rule detects potential command and control communication associated with the ValleyRAT malware, which is known for exfiltrating sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage these IOCs to maintain stealthy, long-term access to networked systems.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 3 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | dnmjbsbqsb.com | botnet_cc | 2026-05-12 | 75% |
| ip:port | 27[.]124[.]44[.]80:443 | botnet_cc | 2026-05-12 | 100% |
| ip:port | 45[.]197[.]237[.]53:9000 | botnet_cc | 2026-05-12 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["27.124.44.80", "45.197.237.53"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["27.124.44.80", "45.197.237.53"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ValleyRAT
let malicious_domains = dynamic(["dnmjbsbqsb.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe to perform system maintenance (e.g., disk cleanup or log rotation) may trigger the rule if the task name or command line matches IOC patterns.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with command lines containing clean, logrotate, or maintenance.
Scenario: Admin Tool for Log Analysis
Description: The enterprise security team may use logparser.exe (Microsoft tool) to analyze event logs, which could match IOC patterns if the command line includes suspicious-looking strings.
Filter/Exclusion: Exclude processes with logparser.exe and command lines containing eventlog or analyze.
Scenario: Database Backup Job
Description: A legitimate database backup job using sqlcmd.exe or mysqldump might trigger the rule if the command line includes strings resembling malicious activity.
Filter/Exclusion: Exclude processes with sqlcmd.exe or mysqldump and command lines containing backup, restore, or db.
Scenario: Network Monitoring Tool
Description: A network monitoring tool like tcpdump or Wireshark may generate traffic that matches IOC patterns if the command line includes suspicious parameters.
Filter/Exclusion: Exclude processes with tcpdump or Wireshark and command lines containing monitor, capture, or sniff.
Scenario: Scripted System Update
Description: A PowerShell script (powershell.exe) running a system update or patching task may trigger the rule if the script name or command line includes strings matching the IOC.
Filter/Exclusion: Exclude processes with powershell.exe and command lines containing update, patch, or `