The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and command-and-control communication within the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 5 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | loungelovers.io | botnet_cc | 2026-06-03 | 50% |
| domain | ph88phil.io | botnet_cc | 2026-06-03 | 50% |
| domain | purerawk.com | botnet_cc | 2026-06-03 | 50% |
| domain | ww.maskelibros.cl | botnet_cc | 2026-06-03 | 50% |
| domain | www.cinehouse.my | botnet_cc | 2026-06-03 | 50% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["loungelovers.io", "ph88phil.io", "purerawk.com", "ww.maskelibros.cl", "www.cinehouse.my"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe for system diagnostics
Description: A system administrator uses a custom script or tool named nanocore.exe as part of a scheduled job to perform system health checks.
Filter/Exclusion: Exclude processes where the full path contains C:\Windows\System32\nanocore.exe or where the parent process is schtasks.exe.
Scenario: Use of nanocore.exe by a legitimate security tool for threat analysis
Description: A security team uses a tool named nanocore.exe (e.g., a custom analysis tool) to simulate or analyze malware behavior in a sandboxed environment.
Filter/Exclusion: Exclude processes where the command line includes -sandbox or -simulate flags, or where the parent process is msvcr100.dll or python.exe.
Scenario: Legitimate admin task involving nanocore.exe for log parsing
Description: An admin task runs nanocore.exe to parse and analyze log files for troubleshooting purposes.
Filter/Exclusion: Exclude processes where the command line includes --logparse or where the parent process is task scheduler or services.exe.
Scenario: Use of nanocore.exe by a legitimate backup tool for data compression
Description: A backup tool named nanocore.exe is used to compress and archive data as part of a regular backup process.
Filter/Exclusion: Exclude processes where the command line includes --backup or --compress, or where the parent process is backupsvc.exe or vssvc.exe.
Scenario: Legitimate use of nanocore.exe for network monitoring
Description: A network monitoring tool named `nanocore