The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and command-and-control communication. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 4 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | 88i.jp.net | botnet_cc | 2026-06-05 | 75% |
| domain | metalioncircle.io | botnet_cc | 2026-06-05 | 75% |
| ip:port | 5[.]35[.]87[.]192:10134 | botnet_cc | 2026-06-05 | 100% |
| domain | ennovar.io | botnet_cc | 2026-06-05 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["5.35.87.192"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.35.87.192"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["88i.jp.net", "metalioncircle.io", "ennovar.io"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe as part of a backup tool
Filter/Exclusion: Exclude processes where the full path contains "C:\Program Files\BackupTool\backup.exe" or process name is backup.exe with parent process schtasks.exe.
Scenario: Admin task using nanocore.exe for network diagnostics
Filter/Exclusion: Exclude processes where the command line includes "ping", "tracert", or "nslookup" and the user is a domain admin with elevated privileges.
Scenario: Legitimate software update process using nanocore.exe as a dependency
Filter/Exclusion: Exclude processes where the file path includes "C:\Windows\Temp\update_tool\" or the process is initiated by Windows Update or WSUS.
Scenario: False positive from a security tool performing a sandbox analysis
Filter/Exclusion: Exclude processes where the parent process is sandbox.exe or qemu-system-x86_64.exe and the process name is nanocore.exe.
Scenario: Legitimate system cleanup tool using nanocore.exe as a component
Filter/Exclusion: Exclude processes where the command line includes "clean", "remove", or "delete" and the process is initiated by a known enterprise cleanup tool like CCleaner or Disk Cleanup.