The ThreatFox: ValleyRAT IOCs rule detects potential adversary activity associated with the ValleyRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before significant data loss or system disruption occurs.
IOC Summary
Malware Family: ValleyRAT Total IOCs: 3 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | dnmjbsbqsb.com | botnet_cc | 2026-05-12 | 75% |
| ip:port | 27[.]124[.]44[.]80:443 | botnet_cc | 2026-05-12 | 100% |
| ip:port | 45[.]197[.]237[.]53:9000 | botnet_cc | 2026-05-12 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - ValleyRAT
let malicious_ips = dynamic(["27.124.44.80", "45.197.237.53"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["27.124.44.80", "45.197.237.53"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ValleyRAT
let malicious_domains = dynamic(["dnmjbsbqsb.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using schtasks.exe
Description: A legitimate scheduled task uses schtasks.exe to run a maintenance script that matches one of the IOCs.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with a known legitimate command-line argument or script path.
Scenario: System Update Using wuauclt.exe
Description: A Windows Update process (wuauclt.exe) is detected as matching an IOC due to similar command-line arguments.
Filter/Exclusion: Exclude processes where the parent process is svchost.exe and the command line includes wuauclt.exe with update-related flags.
Scenario: Admin Task Using taskmgr.exe
Description: An administrator uses taskmgr.exe to manually terminate or configure a process that coincidentally matches an IOC.
Filter/Exclusion: Exclude processes where the user is a domain admin and the process is initiated via a known administrative tool or script.
Scenario: Log File Parsing Using logparser.exe
Description: A log parsing tool (logparser.exe) is flagged due to its binary name matching an IOC.
Filter/Exclusion: Exclude processes where the command line includes -i SQL or -i IIS indicating a log parsing context.
Scenario: Antivirus Quarantine Scan Using msseces.exe
Description: A Microsoft Security Essentials quarantine scan (msseces.exe) is flagged due to a name similarity with an IOC.
Filter/Exclusion: Exclude processes where the parent process is msseces.exe and the command line includes -quarantine or -scan.