The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and remote control over compromised systems. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 6 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | a5ebaafa75f45f51d25f38ef83a2c1e3ac580435 | payload | 2026-06-17 | 95% |
| md5_hash | 4b896f8ae2fdbedf99648cffa4c7afc3 | payload | 2026-06-17 | 95% |
| sha256_hash | 068725e40de440d38d02f71aea88ec2d28276a98e62b2f5b2659d981c1c11798 | payload | 2026-06-17 | 95% |
| md5_hash | d2d3e85f0d8d966d22c6dd7f6a94df13 | payload | 2026-06-17 | 95% |
| sha256_hash | c211109b368eebe5fadfc58540b8ae6c7a33d820a6e5ebf99bdf09fc7ed98d05 | payload | 2026-06-17 | 95% |
| sha1_hash | a7bee01e4415bf95982b863820d1930dea5739e9 | payload | 2026-06-17 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Nanocore RAT
let malicious_hashes = dynamic(["a5ebaafa75f45f51d25f38ef83a2c1e3ac580435", "4b896f8ae2fdbedf99648cffa4c7afc3", "068725e40de440d38d02f71aea88ec2d28276a98e62b2f5b2659d981c1c11798", "d2d3e85f0d8d966d22c6dd7f6a94df13", "c211109b368eebe5fadfc58540b8ae6c7a33d820a6e5ebf99bdf09fc7ed98d05", "a7bee01e4415bf95982b863820d1930dea5739e9"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup job using rsync may trigger the rule if it involves file paths or commands that match the IOCs associated with Nanocore RAT.
Filter/Exclusion: Exclude processes initiated by the rsync binary or those with command-line arguments containing /backup/ or /data/backup/.
Scenario: Admin task using wget to download a trusted internal script
Description: An administrator may use wget to download a trusted internal script from a company-controlled server, which could be flagged if the URL or file name matches known Nanocore RAT IOCs.
Filter/Exclusion: Exclude processes where the URL domain is within the company’s internal domain or where the file name matches known internal scripts.
Scenario: Log parsing tool using grep to analyze system logs
Description: A log parsing tool such as grep or awk may be used to analyze system logs, and if the log content contains strings that match the IOCs, it could trigger the rule.
Filter/Exclusion: Exclude processes initiated by log analysis tools or those running with user IDs associated with the log management team.
Scenario: Software update using curl to fetch a trusted package
Description: A software update process using curl to fetch a trusted package from an internal or known secure repository may be flagged if the URL or file name matches Nanocore RAT IOCs.
Filter/Exclusion: Exclude processes where the URL is from a known internal update server or where the file name matches known update packages.
Scenario: System monitoring tool using ps or top for process analysis
Description: A system monitoring tool may use ps or top to analyze running processes, and if