The detection identifies potential Nanocore RAT activity through suspicious IOCs associated with command and control communication, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 2 IOC Types: sha256_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | 34f0612b6ceff640754500f6c0f4d70e385db4cbe1807fa6974808e9b66cbb96 | payload | 2026-06-09 | 100% |
| ip:port | 82[.]22[.]77[.]179:54984 | botnet_cc | 2026-06-09 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["82.22.77.179"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["82.22.77.179"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Nanocore RAT
let malicious_hashes = dynamic(["34f0612b6ceff640754500f6c0f4d70e385db4cbe1807fa6974808e9b66cbb96"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe as part of a backup tool
Filter/Exclusion: Exclude processes where the full path contains C:\Windows\System32\ or C:\Program Files\ and the process name is nanocore.exe used by a known backup tool (e.g., Veeam, Acronis).
Scenario: Admin task using nanocore.exe for network diagnostics
Filter/Exclusion: Exclude processes initiated by the Administrators group and running from a known network diagnostic tool (e.g., Wireshark, tcpdump, netsh), or where the command line includes --diag or --network.
Scenario: Legitimate software update using nanocore.exe as part of a patching tool
Filter/Exclusion: Exclude processes where the parent process is msiexec.exe or setup.exe, and the command line includes patch, update, or install.
Scenario: False positive from a security tool scanning for malware
Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., Microsoft Defender, Malwarebytes, Kaspersky) and the process name is nanocore.exe used for signature scanning.
Scenario: Legitimate system cleanup using nanocore.exe as part of a maintenance script
Filter/Exclusion: Exclude processes where the command line includes clean, remove, or delete, and the process is initiated by a known maintenance script (e.g., Task Scheduler, PowerShell, or Batch file with cleanmgr.exe).