ValleyRAT is likely exfiltrating data and establishing encrypted C2 communication through suspicious network traffic and malicious file execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 5 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 27[.]124[.]5[.]95:886 | botnet_cc | 2026-05-07 | 75% |
| ip:port | 43[.]199[.]58[.]243:8880 | botnet_cc | 2026-05-07 | 75% |
| domain | cccflknorgnsd.cn | botnet_cc | 2026-05-07 | 100% |
| ip:port | 18[.]163[.]249[.]4:8880 | botnet_cc | 2026-05-07 | 75% |
| domain | gimtjks.cn | botnet_cc | 2026-05-07 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["43.199.58.243", "18.163.249.4", "27.124.5.95"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.199.58.243", "18.163.249.4", "27.124.5.95"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ValleyRAT
let malicious_domains = dynamic(["cccflknorgnsd.cn", "gimtjks.cn"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system monitoring
Description: A system administrator uses PowerShell scripts (e.g., Get-EventLog, Get-WinEvent) to monitor system logs, which may include commands similar to those used by ValleyRAT.
Filter/Exclusion: Exclude processes initiated by scheduled tasks with known administrative tools (e.g., schtasks.exe, PowerShell.exe with Get-EventLog or Get-WinEvent commands).
Scenario: Admin using Wireshark to analyze network traffic
Description: A network analyst uses Wireshark to capture and analyze network traffic, which may include encrypted traffic patterns similar to ValleyRAT’s C2 communications.
Filter/Exclusion: Exclude traffic captured by Wireshark (wireshark.exe) or processes running under the root or admin user with known network analysis tools.
Scenario: Malicious attachment from a trusted vendor
Description: A user receives a legitimate attachment (e.g., .zip or .pdf) from a trusted vendor, which is later found to contain a benign file but was flagged due to its file type or content.
Filter/Exclusion: Exclude files from known vendors or domains, or files with specific file extensions that are commonly used in legitimate business communications.
Scenario: Automated patching tool using PowerShell
Description: A patching tool (e.g., Microsoft Update, SCCM) runs PowerShell scripts to apply updates, which may include commands that resemble ValleyRAT’s behavior.
Filter/Exclusion: Exclude processes initiated by known patching tools (e.g., msiexec.exe, setup.exe, ccmexec.exe) or scripts associated with enterprise patch management systems.
Scenario: User-generated script for data exfiltration testing
Description: