The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise critical systems.
IOC Summary
Malware Family: VShell Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 39[.]100[.]82[.]149:8084 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 18[.]139[.]222[.]223:81 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 18[.]139[.]222[.]223:82 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 180[.]76[.]242[.]55:8084 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 158[.]94[.]208[.]64:8089 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 38[.]45[.]125[.]102:8084 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 123[.]57[.]135[.]130:8888 | botnet_cc | 2026-05-22 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["180.76.242.55", "39.100.82.149", "18.139.222.223", "158.94.208.64", "38.45.125.102", "123.57.135.130"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["180.76.242.55", "39.100.82.149", "18.139.222.223", "158.94.208.64", "38.45.125.102", "123.57.135.130"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System backup process using VShell for file transfer
Filter/Exclusion: Exclude processes initiated by the system backup service (e.g., backupsvc.exe or vsservice.exe) or check for presence of backup-related command-line arguments (e.g., --backup or --restore).
Scenario: Scheduled job using VShell to sync files between servers
Filter/Exclusion: Exclude processes with command-line arguments related to scheduled tasks (e.g., schtasks.exe or at.exe) or filter by known sync tools like rsync or robocopy.
Scenario: Admin task to transfer configuration files using VShell
Filter/Exclusion: Exclude processes initiated by privileged accounts (e.g., Administrator or root) with known administrative tools (e.g., psexec, winrm, or scp).
Scenario: Log collection using VShell to centralize logs
Filter/Exclusion: Exclude processes associated with log management tools (e.g., Splunk, ELK, or Graylog) or filter by log-related command-line arguments (e.g., --log, --collect, or --export).
Scenario: Internal development team using VShell for code deployment
Filter/Exclusion: Exclude processes from development teams (e.g., devops, build, or ci) or filter by known CI/CD tools (e.g., Jenkins, GitLab CI, or GitHub Actions).