The ThreatFox: Nanocore RAT IOCs rule detects potential indicators of a Nanocore Remote Access Trojan leveraging compromised infrastructure to exfiltrate data and establish persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or system compromise.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 6 IOC Types: sha256_hash, md5_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | 7c1dc6b792df9cf72d40102b9daa1969ce88e5f5 | payload | 2026-06-13 | 95% |
| md5_hash | 94d2ca3c409914ad4d42ea57ce4b36b1 | payload | 2026-06-13 | 95% |
| md5_hash | e5cd97b309afed34383aff420333d831 | payload | 2026-06-13 | 95% |
| sha256_hash | e913c5f78dbe49989518ee50ee56cdb581a16a16b5ebb2ff567d526b238a0fc2 | payload | 2026-06-13 | 95% |
| sha256_hash | 24efe51c32a2017f5ad0aab43a2eb099eaf4379846f1b4e8a62093338ddae517 | payload | 2026-06-13 | 95% |
| sha1_hash | 1f81e5529c284ea4561fd49997d5beb395ee2aa4 | payload | 2026-06-13 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Nanocore RAT
let malicious_hashes = dynamic(["7c1dc6b792df9cf72d40102b9daa1969ce88e5f5", "94d2ca3c409914ad4d42ea57ce4b36b1", "e5cd97b309afed34383aff420333d831", "e913c5f78dbe49989518ee50ee56cdb581a16a16b5ebb2ff567d526b238a0fc2", "24efe51c32a2017f5ad0aab43a2eb099eaf4379846f1b4e8a62093338ddae517", "1f81e5529c284ea4561fd49997d5beb395ee2aa4"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update package from Microsoft Update.
Filter/Exclusion: Exclude PowerShell scripts that download from https://download.microsoft.com or use the Update keyword in the script name.
Scenario: A security team is performing a Windows Defender Offline scan on a test machine, which involves executing a known benign executable from Microsoft’s official repository.
Filter/Exclusion: Exclude processes initiated by Windows Defender Offline or executables signed by Microsoft with the subject Microsoft Corporation.
Scenario: A DevOps engineer is deploying a Docker container that includes a legitimate binary from GitHub as part of a CI/CD pipeline.
Filter/Exclusion: Exclude processes that originate from GitHub URLs (github.com) and are part of a known CI/CD tool like GitHub Actions or GitLab CI.
Scenario: A database administrator is using SQL Server Agent to run a scheduled job that connects to an external database using a trusted connection.
Filter/Exclusion: Exclude connections made via SQL Server Agent or processes that use the trusted_connection=yes parameter in the connection string.
Scenario: A system administrator is using Windows Task Scheduler to run a legitimate script that interacts with Windows Event Log for auditing purposes.
Filter/Exclusion: Exclude tasks scheduled by Task Scheduler or scripts that interact with eventlog or eventvwr.exe.