Skip to content

Hide Navigation Hide TOC

MoonWind (76ec1827-68a1-488f-9899-2b788ea8db64)

The MoonWind sample used for this analysis was compiled with a Chinese compiler known as BlackMoon, the same compiler used for the BlackMoon banking Trojan. While a number of attributes match the BlackMoon banking Trojan, the malware is not the same. Both malware families were simply compiled using the same compiler, and it was the BlackMoon artifacts that resulted in the naming of the BlackMoon banking Trojan. But because this new sample is different from the BlackMoon banking Trojan,

Cluster A Galaxy A Cluster B Galaxy B Level
MoonWind (8465177f-16c8-47fc-a4c8-f4c0409fe460) Malpedia MoonWind (76ec1827-68a1-488f-9899-2b788ea8db64) Tool 1
MoonWind (f266754c-d0aa-4918-95a3-73b28eaa66e3) RAT MoonWind (76ec1827-68a1-488f-9899-2b788ea8db64) Tool 1
MoonWind (76ec1827-68a1-488f-9899-2b788ea8db64) Tool MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 1
MoonWind (8465177f-16c8-47fc-a4c8-f4c0409fe460) Malpedia MoonWind (f266754c-d0aa-4918-95a3-73b28eaa66e3) RAT 2
MoonWind (f266754c-d0aa-4918-95a3-73b28eaa66e3) RAT MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
MoonWind (8465177f-16c8-47fc-a4c8-f4c0409fe460) Malpedia MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern MoonWind - S0149 (9ea525fa-b0a9-4dde-84f2-bcea0137b3c1) Malware 2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3