Skip to content

Hide Navigation Hide TOC

MoonWind (76ec1827-68a1-488f-9899-2b788ea8db64)

The MoonWind sample used for this analysis was compiled with a Chinese compiler known as BlackMoon, the same compiler used for the BlackMoon banking Trojan. While a number of attributes match the BlackMoon banking Trojan, the malware is not the same. Both malware families were simply compiled using the same compiler, and it was the BlackMoon artifacts that resulted in the naming of the BlackMoon banking Trojan. But because this new sample is different from the BlackMoon banking Trojan,

Cluster A Galaxy A Cluster B Galaxy B Level
MoonWind (f266754c-d0aa-4918-95a3-73b28eaa66e3) RAT MoonWind (76ec1827-68a1-488f-9899-2b788ea8db64) Tool 1
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware MoonWind (76ec1827-68a1-488f-9899-2b788ea8db64) Tool 1
MoonWind (8465177f-16c8-47fc-a4c8-f4c0409fe460) Malpedia MoonWind (76ec1827-68a1-488f-9899-2b788ea8db64) Tool 1
MoonWind (f266754c-d0aa-4918-95a3-73b28eaa66e3) RAT MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
MoonWind (f266754c-d0aa-4918-95a3-73b28eaa66e3) RAT MoonWind (8465177f-16c8-47fc-a4c8-f4c0409fe460) Malpedia 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 2
MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware MoonWind (8465177f-16c8-47fc-a4c8-f4c0409fe460) Malpedia 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3