The ThreatFox: Nanocore RAT IOCs rule detects potential indicators of a Nanocore Remote Access Trojan attempting to establish persistence and exfiltrate data within an environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 18 IOC Types: sha1_hash, md5_hash, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | ef0e9301403d58a4729aaa9cd81abf942b1c8a301a651b1512bc2b5d9e599303 | payload | 2026-06-20 | 95% |
| sha1_hash | 0b8b5c278750f6e4a14fde3495cd403eddb9f2bc | payload | 2026-06-20 | 95% |
| md5_hash | 93e61d5a877bbb937e885d3ca385ac8a | payload | 2026-06-20 | 95% |
| sha256_hash | c2c8ed567f9c65686c4f6599e9259bd31d2ad984c24cf17ad9ebd9d594dcb0ba | payload | 2026-06-20 | 95% |
| sha1_hash | 4ccba704170269b7c7ca1ecafe2ed57fd11dcba8 | payload | 2026-06-20 | 95% |
| md5_hash | 10cf94eef24c8932d28698e02faf43e5 | payload | 2026-06-20 | 95% |
| sha256_hash | 2e16f46c063ff79af0b312364375706e98674b5869a4c9bb9f96a14b77277c5b | payload | 2026-06-20 | 95% |
| sha1_hash | 5801812345faf457a9be2ede940097ad1e88a626 | payload | 2026-06-20 | 95% |
| md5_hash | 2470c9c99f13ded1f5b86a2fabde0780 | payload | 2026-06-20 | 95% |
| md5_hash | 1702f6476993eb605fe93eebbbc5fc42 | payload | 2026-06-20 | 95% |
| sha256_hash | ce990051cbbec61b7e5fda012e29bc9776d0f298cc586c20ed13f949f34db37b | payload | 2026-06-20 | 95% |
| sha1_hash | 409af51ffa0d10f41374a2b1f3517b98b950ed00 | payload | 2026-06-20 | 95% |
| md5_hash | 63ab7828b518397c0b01596c92a0a0b0 | payload | 2026-06-20 | 95% |
| md5_hash | d3e37de6dd2dc8ce1bb72536259529cc | payload | 2026-06-20 | 95% |
| sha256_hash | b8431716195045f269fabd7d4e58fc37d24281a7bc0e4af3ce5424276add5792 | payload | 2026-06-20 | 95% |
| sha1_hash | c7bb21bf48c0c879b9f382143b94c9e16bd6c81e | payload | 2026-06-20 | 95% |
| sha256_hash | 798138899fae930a2eb5d70aafd8ba622fd1674fec571e282e9c9589b39cffef | payload | 2026-06-20 | 95% |
| sha1_hash | 9c9b962deead54c4364d378324e1f4ec603ab81c | payload | 2026-06-20 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Nanocore RAT
let malicious_hashes = dynamic(["ef0e9301403d58a4729aaa9cd81abf942b1c8a301a651b1512bc2b5d9e599303", "0b8b5c278750f6e4a14fde3495cd403eddb9f2bc", "93e61d5a877bbb937e885d3ca385ac8a", "c2c8ed567f9c65686c4f6599e9259bd31d2ad984c24cf17ad9ebd9d594dcb0ba", "4ccba704170269b7c7ca1ecafe2ed57fd11dcba8", "10cf94eef24c8932d28698e02faf43e5", "2e16f46c063ff79af0b312364375706e98674b5869a4c9bb9f96a14b77277c5b", "5801812345faf457a9be2ede940097ad1e88a626", "2470c9c99f13ded1f5b86a2fabde0780", "1702f6476993eb605fe93eebbbc5fc42", "ce990051cbbec61b7e5fda012e29bc9776d0f298cc586c20ed13f949f34db37b", "409af51ffa0d10f41374a2b1f3517b98b950ed00", "63ab7828b518397c0b01596c92a0a0b0", "d3e37de6dd2dc8ce1bb72536259529cc", "b8431716195045f269fabd7d4e58fc37d24281a7bc0e4af3ce5424276add5792", "c7bb21bf48c0c879b9f382143b94c9e16bd6c81e", "798138899fae930a2eb5d70aafd8ba622fd1674fec571e282e9c9589b39cffef", "9c9b962deead54c4364d378324e1f4ec603ab81c"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam Backup & Replication
Description: The backup process may involve IOCs that resemble malicious activity, such as file creation or network connections.
Filter/Exclusion: Check for the presence of veeam or backup in the process name or command line, and filter by known backup directories (e.g., C:\ProgramData\Veeam).
Scenario: Windows Task Scheduler running a legitimate PowerShell script for system monitoring
Description: A scheduled task may execute PowerShell scripts that perform network checks or file operations, which could match the IOCs of the Nanocore RAT.
Filter/Exclusion: Filter tasks that are associated with the Task Scheduler service and have a script path containing powershell.exe with a known monitoring tool name (e.g., Sysmon, LogParser).
Scenario: Administrative tool usage, such as Windows Defender Antivirus scan
Description: Antivirus scans may involve network communication or file access that could be flagged by the detection rule.
Filter/Exclusion: Exclude processes running under Windows Defender Antivirus (e.g., MsMpEng.exe) or check for the presence of Windows Defender in the process name or command line.
Scenario: Log management tool (e.g., Splunk, ELK Stack) indexing logs
Description: Log indexing processes may involve writing to or reading from system directories or making network connections that match the IOCs.
Filter/Exclusion: Filter events related to log management tools by checking the process name (e.g., splunkd.exe, logstash.exe) or by checking for known log directories (e.g., C:\ProgramData\Splunk).
Scenario: Remote PowerShell session initiated by IT administrators for system configuration