The ThreatFox: ValleyRAT IOCs rule detects potential command and control communication associated with the ValleyRAT malware, indicating an adversary may be exfiltrating data or maintaining persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | zzlkkghnmh.cn | botnet_cc | 2026-05-21 | 100% |
| domain | 1112[.]688608.xyz | botnet_cc | 2026-05-21 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ValleyRAT
let malicious_domains = dynamic(["zzlkkghnmh.cn", "1112.688608.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe to run a system maintenance script
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known benign command-line arguments (e.g., schtasks /run /tn "System Maintenance")
Scenario: Admin using PowerShell.exe to perform a system update or patch deployment
Filter/Exclusion: Exclude PowerShell scripts executed from trusted locations (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\) with known update-related commands
Scenario: IT staff using PsExec.exe to remotely execute a legitimate administrative task
Filter/Exclusion: Exclude processes launched via PsExec.exe targeting known internal tools (e.g., PsExec -s -i 1 C:\Windows\System32\cmd.exe)
Scenario: Regular use of regedit.exe to modify registry settings for software configuration
Filter/Exclusion: Exclude registry edits made by known internal configuration management tools (e.g., regedit.exe with modifications to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for legitimate software)
Scenario: Use of taskkill.exe to terminate a non-malicious process during system troubleshooting
Filter/Exclusion: Exclude taskkill.exe commands targeting known system or application processes (e.g., taskkill /F /IM notepad.exe during a legitimate troubleshooting session)