The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and command-and-control communication. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 4 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | www.mobile1.com | botnet_cc | 2026-05-27 | 75% |
| domain | spapro.co.com | botnet_cc | 2026-05-26 | 75% |
| domain | www.shbet.id | botnet_cc | 2026-05-26 | 75% |
| domain | moocow.my | botnet_cc | 2026-05-26 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["www.mobile1.com", "spapro.co.com", "www.shbet.id", "moocow.my"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe for system monitoring
Description: A system administrator uses a custom script named nanocore.exe as part of a scheduled job to monitor system performance.
Filter/Exclusion: Exclude processes where the full path contains C:\Windows\System32\ or C:\Program Files\ and the process is associated with a known monitoring tool (e.g., perfmon.exe).
Scenario: Admin task using nanocore.exe for log parsing
Description: A system administrator runs a script named nanocore.exe to parse and analyze log files for troubleshooting purposes.
Filter/Exclusion: Exclude processes where the command line includes -log or -parse and the parent process is a known administrative tool like powershell.exe or cmd.exe.
Scenario: Legitimate software update using nanocore.exe
Description: A third-party software update tool named nanocore.exe is used to deploy patches across the enterprise.
Filter/Exclusion: Exclude processes where the file hash matches a known legitimate update tool (e.g., SHA256: 1234567890abcdef1234567890abcdef12) and the parent process is msiexec.exe or setup.exe.
Scenario: User-generated script named nanocore.bat for automation
Description: A user creates a batch script named nanocore.bat to automate routine tasks like file backups or system checks.
Filter/Exclusion: Exclude processes where the file path starts with C:\Users\ and the process is initiated by a user account with standard privileges.
**Scenario: Legitimate tool named nanocore used in a