The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and command-and-control communication within the network. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage malware infections before significant data exfiltration or system compromise occurs.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 4 IOC Types: md5_hash, sha256_hash, sha1_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | c0b18beb746f408a76371760e64ab37b350419da5292a6fe5b9b83bf7e225257 | payload | 2026-06-11 | 95% |
| sha1_hash | 87bc65dccd4cb91d55afc1afd257c23acd14570c | payload | 2026-06-11 | 95% |
| md5_hash | a59b7602663fb130c5a85507fbbe29a2 | payload | 2026-06-11 | 95% |
| ip:port | 104[.]168[.]62[.]5:54984 | botnet_cc | 2026-06-11 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["104.168.62.5"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["104.168.62.5"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Nanocore RAT
let malicious_hashes = dynamic(["c0b18beb746f408a76371760e64ab37b350419da5292a6fe5b9b83bf7e225257", "87bc65dccd4cb91d55afc1afd257c23acd14570c", "a59b7602663fb130c5a85507fbbe29a2"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore in a script
Description: A system administrator schedules a script using nanocore as part of a legitimate automation tool (e.g., Ansible, Puppet) for configuration management.
Filter/Exclusion: Check for process.parent_process containing known admin tools (e.g., ansible, puppet, chef) or script_name matching known configuration management scripts.
Scenario: Network monitoring tool using nanocore for packet analysis
Description: A network security tool (e.g., Wireshark, tcpdump) is configured to use nanocore as part of its packet filtering or analysis process.
Filter/Exclusion: Filter by process.name to exclude known network analysis tools or check for process.command_line containing -i or -f flags indicating packet capture mode.
Scenario: System update or patching using nanocore in a legitimate tool
Description: A system update tool (e.g., yum, apt, Chocolatey) uses nanocore as part of its internal dependency or logging mechanism.
Filter/Exclusion: Filter by process.name to exclude package managers or check for process.command_line containing update-related keywords (e.g., upgrade, install, patch).
Scenario: Log analysis tool using nanocore for log parsing
Description: A log analysis tool (e.g., ELK Stack, Splunk) uses nanocore as part of its internal log parsing or processing pipeline.
Filter/Exclusion: Filter by process.name to exclude known log analysis tools or check for process.command_line containing log-related flags (e.g., -f, -l, `-t