The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and command-and-control capabilities within the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 3 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | j88vm.com | botnet_cc | 2026-05-09 | 75% |
| domain | m-u88.com | botnet_cc | 2026-05-09 | 75% |
| ip:port | 185[.]170[.]76[.]249:443 | botnet_cc | 2026-05-09 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["185.170.76.249"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["185.170.76.249"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["j88vm.com", "m-u88.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using Nanocore-based tool
Description: A system update process uses a tool with a name similar to Nanocore RAT, such as nanocore_updater.exe, which is part of a legitimate enterprise software deployment tool.
Filter/Exclusion: process.name != "nanocore_updater.exe" OR process.parent.name == "setup.exe" OR process.path contains "software_updates"
Scenario: Scheduled backup job using Nanocore-related scripts
Description: A scheduled backup job runs a script named nanocore_backup.bat that is part of a legitimate backup solution, such as Veeam or Acronis.
Filter/Exclusion: process.name != "nanocore_backup.bat" OR process.parent.name == "schtasks.exe" OR process.path contains "backup_tools"
Scenario: Admin task using Nanocore-related command-line tools
Description: An administrator runs a command-line tool named nanocore_diag.exe as part of routine system diagnostics or troubleshooting.
Filter/Exclusion: process.name != "nanocore_diag.exe" OR user.name == "admin" OR process.parent.name == "cmd.exe"
Scenario: Legitimate third-party software with similar IOC
Description: A third-party software tool, such as nanocore_utils.exe, is used in the environment and has a file name that matches the IOC for Nanocore RAT.
Filter/Exclusion: file.name != "nanocore_utils.exe" OR file.path contains "third_party_tools" OR file.hash matches known legitimate hash
Scenario: False positive from a security tool’s own components
Description: A security tool, such as CrowdStrike or Microsoft Defender, has a component with a name similar