The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for establishing covert command and control channels. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats that may be leveraging VShell for data exfiltration and lateral movement.
IOC Summary
Malware Family: VShell Total IOCs: 17 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 60[.]204[.]249[.]248:8084 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 8[.]148[.]26[.]10:8083 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 64[.]95[.]12[.]40:80 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 45[.]150[.]64[.]192:31433 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 170[.]106[.]188[.]119:8084 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 121[.]43[.]169[.]103:8001 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 1[.]94[.]22[.]250:8084 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 104[.]168[.]145[.]21:2099 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 110[.]41[.]71[.]46:9876 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 45[.]152[.]65[.]240:8084 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 159[.]75[.]177[.]25:31668 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 116[.]148[.]214[.]212:8443 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 123[.]60[.]219[.]97:8899 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 121[.]43[.]169[.]103:8084 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 120[.]53[.]15[.]64:8888 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 47[.]105[.]81[.]1:20001 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 39[.]100[.]66[.]178:33333 | botnet_cc | 2026-05-20 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["45.150.64.192", "39.100.66.178", "121.43.169.103", "123.60.219.97", "170.106.188.119", "104.168.145.21", "60.204.249.248", "110.41.71.46", "45.152.65.240", "120.53.15.64", "64.95.12.40", "8.148.26.10", "1.94.22.250", "116.148.214.212", "47.105.81.1", "159.75.177.25"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.150.64.192", "39.100.66.178", "121.43.169.103", "123.60.219.97", "170.106.188.119", "104.168.145.21", "60.204.249.248", "110.41.71.46", "45.152.65.240", "120.53.15.64", "64.95.12.40", "8.148.26.10", "1.94.22.250", "116.148.214.212", "47.105.81.1", "159.75.177.25"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a system maintenance routine, such as log rotation or configuration backup.
Filter/Exclusion: Exclude processes initiated by the Windows Task Scheduler with a known maintenance task name (e.g., LogRotationTask).
Scenario: Admin User Performing Remote Management
Description: An admin user is using vshell to remotely manage a server via a legitimate remote administration tool like PsExec or WinRM.
Filter/Exclusion: Exclude processes initiated by admin users (e.g., UserSID= S-1-5-21-...) or associated with known remote management tools.
Scenario: Software Update Deployment
Description: A software update or patching tool (e.g., Chocolatey, WSUS, or SCCM) uses vshell as part of its deployment process.
Filter/Exclusion: Exclude processes associated with known patching tools (e.g., choco, wsusutil, ccmexec).
Scenario: Database Backup Job
Description: A database backup job (e.g., using SQL Server Backup Utility or MySQLDump) may invoke vshell as part of the backup process.
Filter/Exclusion: Exclude processes initiated by database services (e.g., SQLAgent or mysqld) or during scheduled backup windows.
Scenario: Network Monitoring Tool Integration
Description: A network monitoring tool (e.g., SolarWinds, PRTG, or Nagios) may use vshell for data collection or alerting.
Filter/Exclusion: Exclude processes associated with known network monitoring tools (e.g., `SolarWinds