The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and command-and-control capabilities within the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 10 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | sc88.earth | botnet_cc | 2026-04-20 | 75% |
| domain | roservicescenter.in.net | botnet_cc | 2026-04-20 | 75% |
| domain | progressivetechworld.in.net | botnet_cc | 2026-04-20 | 75% |
| domain | alppconectt.sa.com | botnet_cc | 2026-04-20 | 75% |
| domain | 8s8s.it.com | botnet_cc | 2026-04-20 | 75% |
| ip:port | 172[.]67[.]220[.]51:443 | botnet_cc | 2026-04-20 | 100% |
| ip:port | 104[.]21[.]55[.]33:443 | botnet_cc | 2026-04-20 | 100% |
| ip:port | 172[.]67[.]218[.]225:443 | botnet_cc | 2026-04-20 | 100% |
| ip:port | 172[.]67[.]144[.]104:443 | botnet_cc | 2026-04-20 | 100% |
| ip:port | 104[.]21[.]43[.]40:443 | botnet_cc | 2026-04-20 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["104.21.43.40", "172.67.220.51", "104.21.55.33", "172.67.144.104", "172.67.218.225"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["104.21.43.40", "172.67.220.51", "104.21.55.33", "172.67.144.104", "172.67.218.225"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["sc88.earth", "roservicescenter.in.net", "progressivetechworld.in.net", "alppconectt.sa.com", "8s8s.it.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using Nanocore-based tool
Description: A system update process uses a tool with a name matching a Nanocore RAT IOC, such as nanocore-updater.exe.
Filter/Exclusion: process.name != "nanocore-updater.exe" or check for process.parent.name == "WindowsUpdate.exe" or process.parent.name == "msiexec.exe"
Scenario: Scheduled backup job using a script with similar naming
Description: A scheduled backup job runs a script named nanocore_backup.ps1 which is a legitimate administrative task.
Filter/Exclusion: process.name != "nanocore_backup.ps1" or process.parent.name == "schtasks.exe" or process.parent.name == "powershell.exe"
Scenario: Admin task using a tool with similar IOCs
Description: An admin uses a legitimate tool like nanocore-utility.exe for system diagnostics, which shares IOC strings with the RAT.
Filter/Exclusion: process.name != "nanocore-utility.exe" or process.parent.name == "taskmgr.exe" or process.parent.name == "explorer.exe"
Scenario: Log file parsing using a tool with matching IOC
Description: A log parsing tool like logparser.exe is used to analyze system logs and its name matches a Nanocore IOC.
Filter/Exclusion: process.name != "logparser.exe" or process.parent.name == "services.exe" or process.parent.name == "eventvwr.exe"
Scenario: Third-party software with similar naming convention
Description: A third-party application like nanocore-monitor.exe is installed, which is not related to the RAT but shares the same name.
*Filter/