The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise critical systems.
IOC Summary
Malware Family: VShell Total IOCs: 17 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 124[.]223[.]198[.]8:50002 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 118[.]195[.]147[.]253:8084 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 101[.]33[.]251[.]229:9999 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 139[.]196[.]181[.]1:20026 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 23[.]94[.]23[.]151:8084 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 49[.]232[.]124[.]230:8000 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 104[.]168[.]94[.]108:8082 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 151[.]243[.]137[.]78:80 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 139[.]196[.]181[.]1:20001 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 45[.]221[.]115[.]160:1433 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 121[.]41[.]222[.]75:8084 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 39[.]106[.]211[.]60:8084 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 146[.]190[.]107[.]127:8088 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 47[.]93[.]9[.]48:60001 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 47[.]236[.]130[.]154:8080 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 8[.]138[.]187[.]231:8443 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 8[.]219[.]228[.]206:33060 | botnet_cc | 2026-05-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["49.232.124.230", "45.221.115.160", "139.196.181.1", "118.195.147.253", "104.168.94.108", "101.33.251.229", "47.93.9.48", "8.138.187.231", "8.219.228.206", "146.190.107.127", "124.223.198.8", "39.106.211.60", "121.41.222.75", "151.243.137.78", "47.236.130.154", "23.94.23.151"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["49.232.124.230", "45.221.115.160", "139.196.181.1", "118.195.147.253", "104.168.94.108", "101.33.251.229", "47.93.9.48", "8.138.187.231", "8.219.228.206", "146.190.107.127", "124.223.198.8", "39.106.211.60", "121.41.222.75", "151.243.137.78", "47.236.130.154", "23.94.23.151"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System backup process using rsync or tar that transfers files to a remote server
Filter/Exclusion: Exclude traffic where the destination IP is a known backup server or within the internal network, and filter by command-line arguments containing --backup or --exclude.
Scenario: Scheduled job using cron or systemd to run a database maintenance script (e.g., pg_dump for PostgreSQL)
Filter/Exclusion: Exclude processes initiated by cron or systemd and filter by command-line arguments containing --maintenance or --backup.
Scenario: Admin task using scp or sftp to transfer configuration files between servers
Filter/Exclusion: Exclude transfers between internal servers with known IP ranges, and filter by file paths containing .conf, .yml, or .json that are part of standard configuration management.
Scenario: Log aggregation tool like Fluentd or Logstash shipping logs to a centralized logging server
Filter/Exclusion: Exclude traffic from known log aggregation tools and filter by source IPs that are part of the internal logging infrastructure.
Scenario: Software update process using yum, apt, or dnf that downloads packages from internal repositories
Filter/Exclusion: Exclude package downloads from internal repositories and filter by package names or repository URLs that are known to be part of the enterprise software update process.