The ThreatFox: ValleyRAT IOCs rule detects potential command and control communication associated with the ValleyRAT malware, which is known for exfiltrating sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or system compromise.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 3 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 203[.]91[.]74[.]177:6677 | botnet_cc | 2026-05-18 | 75% |
| ip:port | 43[.]199[.]20[.]55:8880 | botnet_cc | 2026-05-18 | 75% |
| domain | ttcxdljiue.cn | botnet_cc | 2026-05-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["43.199.20.55", "203.91.74.177"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.199.20.55", "203.91.74.177"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ValleyRAT
let malicious_domains = dynamic(["ttcxdljiue.cn"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using schtasks.exe
Description: A legitimate scheduled task uses schtasks.exe to run a maintenance script.
Filter/Exclusion: Exclude processes where the command line includes schtasks.exe and the script path is a known enterprise maintenance script (e.g., C:\Windows\System32\sched\tasks\maintenance.ps1).
Scenario: System Update via Windows Update
Description: A Windows Update process downloads and executes a package that matches the IOC signature.
Filter/Exclusion: Exclude processes where the parent process is svchost.exe and the command line includes wuauclt.exe or WindowsUpdate.exe.
Scenario: Admin Task Using taskkill.exe
Description: An administrator uses taskkill.exe to terminate a legitimate process, which may trigger the IOC due to the executable name.
Filter/Exclusion: Exclude processes where the command line includes taskkill.exe and the target process is a known system or admin tool (e.g., explorer.exe, services.exe).
Scenario: Log Collection Tool Using logman.exe
Description: A log collection tool like logman.exe is used to gather system logs, which may match the IOC due to the executable name.
Filter/Exclusion: Exclude processes where the command line includes logman.exe and the log name is a known enterprise log (e.g., SystemLog, ApplicationLog).
Scenario: Antivirus Scan Using msseces.exe
Description: Microsoft Security Essentials or similar antivirus software uses msseces.exe for scanning, which may be flagged as a ValleyRAT IOC.
Filter/Exclusion: Exclude processes where the parent process is