The ThreatFox: Nanocore RAT IOCs rule detects potential adversary activity associated with the Nanocore Remote Access Trojan, leveraging known indicators of compromise to identify malicious network traffic and file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that leverage Nanocore RAT for command and control communications.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 8 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | bodegaycocina.com.co | botnet_cc | 2026-06-06 | 75% |
| ip:port | 66[.]29[.]148[.]149:443 | botnet_cc | 2026-06-06 | 100% |
| domain | tcc.jp.net | botnet_cc | 2026-06-06 | 75% |
| ip:port | 46[.]33[.]14[.]12:443 | botnet_cc | 2026-06-06 | 100% |
| domain | jj88.today | botnet_cc | 2026-06-06 | 75% |
| domain | vivanuncios.com.co | botnet_cc | 2026-06-06 | 75% |
| domain | taartendoordetijd.nl | botnet_cc | 2026-06-06 | 75% |
| domain | proyectoeleuteria.com.co | botnet_cc | 2026-06-06 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["46.33.14.12", "66.29.148.149"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["46.33.14.12", "66.29.148.149"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["bodegaycocina.com.co", "tcc.jp.net", "jj88.today", "vivanuncios.com.co", "taartendoordetijd.nl", "proyectoeleuteria.com.co"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe for system diagnostics
Description: A system administrator schedules a legitimate diagnostic tool named nanocore.exe to run daily for system health checks.
Filter/Exclusion: Exclude processes where the full path contains C:\Windows\System32\nanocore.exe or where the process is initiated by a known administrative task scheduler job.
Scenario: Use of nanocore.exe by a legitimate security tool for threat analysis
Description: A security team uses a third-party tool named nanocore.exe for analyzing malware samples in a sandboxed environment.
Filter/Exclusion: Exclude processes where the parent process is sandboxed.exe or vmtoolsd.exe, or where the command line includes --sandbox-mode.
Scenario: Legitimate software update using nanocore.exe as part of a deployment tool
Description: A deployment tool named nanocore.exe is used to push updates to endpoints, and it is part of the enterprise’s software update pipeline.
Filter/Exclusion: Exclude processes where the command line includes --update-mode or where the process is initiated by SCCM or Microsoft Endpoint Manager.
Scenario: False positive from a legitimate log parsing tool named nanocore
Description: A log parsing tool named nanocore is used to process system logs and generates output that matches the IOC pattern.
Filter/Exclusion: Exclude processes where the process name is nanocore.exe and the command line includes --log-parser or where the parent process is logparser.exe.
Scenario: Use of nanocore.exe in a legitimate DevOps pipeline for CI/CD tasks
Description: A DevOps pipeline uses a tool named