The detection identifies potential Nanocore RAT activity through suspicious IOCs associated with command and control communication, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 2 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | u888.it.com | botnet_cc | 2026-04-23 | 75% |
| ip:port | 38[.]242[.]144[.]218:717 | botnet_cc | 2026-04-23 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["38.242.144.218"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["38.242.144.218"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["u888.it.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe for system diagnostics
Description: A system administrator schedules a legitimate diagnostic tool named nanocore.exe to run daily for log analysis.
Filter/Exclusion: Exclude processes where the full path contains C:\Windows\System32\ or C:\Program Files\ and the command line includes -diag or -log.
Scenario: Use of nanocore.exe by a legitimate security tool for malware analysis
Description: A security team uses a tool named nanocore.exe (not related to the RAT) for analyzing malware samples in a sandboxed environment.
Filter/Exclusion: Exclude processes running in a sandboxed environment (e.g., C:\Windows\System32\drivers\etc\hosts modified, or presence of sandbox in the command line).
Scenario: Admin task involving nanocore.exe for network interface configuration
Description: A network administrator uses a tool named nanocore.exe (a real network configuration utility) to manage network interfaces.
Filter/Exclusion: Exclude processes where the command line includes netsh, ipconfig, or ifconfig, and the user is a domain admin with elevated privileges.
Scenario: Legitimate software update using nanocore.exe as part of a vendor toolset
Description: A software vendor includes nanocore.exe as part of a legitimate update package for a system management tool.
Filter/Exclusion: Exclude processes where the file is located in a vendor-specific directory (e.g., C:\Program Files\Vendor\Tools\) and the command line includes update or install.
Scenario: Use of nanocore.exe in a legitimate penetration testing lab environment