Overview

overview

10

Static

static

10

Moon.zip

windows7-x64

10

Moon.zip

windows10-2004-x64

1

Moon/Boots...on.exe

windows7-x64

10

Moon/Boots...on.exe

windows10-2004-x64

10

Moon/ForlornApi.dll

windows7-x64

1

Moon/ForlornApi.dll

windows10-2004-x64

1

Moon/Forlo...ct.dll

windows7-x64

1

Moon/Forlo...ct.dll

windows10-2004-x64

7

Moon/MoonBETA.exe

windows7-x64

1

Moon/MoonBETA.exe

windows10-2004-x64

1

Moon/MoonB...OT.exe

windows7-x64

3

Moon/MoonB...OT.exe

windows10-2004-x64

1

Moon/works...481.js

windows7-x64

3

Moon/works...481.js

windows10-2004-x64

3

Moon/works...ary.js

windows7-x64

3

Moon/works...ary.js

windows10-2004-x64

3

Moon/works...ler.js

windows7-x64

3

Moon/works...ler.js

windows10-2004-x64

3

Moon/works...sha.js

windows7-x64

3

Moon/works...sha.js

windows10-2004-x64

3

Moon/works...ipt.js

windows7-x64

3

Moon/works...ipt.js

windows10-2004-x64

3

Moon/works...sal.js

windows7-x64

3

Moon/works...sal.js

windows10-2004-x64

3

Resubmissions

18-12-2024 18:26

241218-w3lpnsykeq 10

18-12-2024 17:16

241218-vtjchswle1 10

Analysis

  • max time kernel
    226s
  • max time network
    226s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Moon.zip

  • Size

    10.5MB

  • MD5

    afdea462c07a140b63f6910a7b18e935

  • SHA1

    2bb124b1f6cbeb9126eab1f70561e6bd5a3642ba

  • SHA256

    c48b1d0562f49f921b34fa58c952a4dd991d111003c3543f8852fdddb0b0da4f

  • SHA512

    52a53c5f60ff6725705b9f7581cb69d2140b9f36804ce2987347ffff3e5fc3244fa9e5b5ab062989419dd0dfd6943f1af8b009cf16745d62b2cfa171f58499ab

  • SSDEEP

    196608:AdHOE10T4CiiCRuTnNIa216yWM4yaAJWriqQxwGuKcya190r0uPTqkbOa//:AdHgGiCRu6a3yWMP02qQxFAywTuPTqkl

Score
10/10
discordratdiscoverypersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMwOTY1NDI0NzE0Njc4MjczMw.GdCiWO.QDjWo8z0Xk0JdOHCguuepaT0RNYGA63CrYGXZo

  • server_id

    1280835675205406823

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Time Discovery 1 TTPs 1 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Moon.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2840
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2404
    • C:\Users\Admin\AppData\Local\Temp\MoonBETARUNBOOT.exe
      "C:\Users\Admin\AppData\Local\Temp\MoonBETARUNBOOT.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:484
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win-x64&os=win7&apphost_version=8.0.8&gui=true
        2⤵
        • System Time Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:275457 /prefetch:2
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2476

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a7f1719f61d0685596602d322ad1d6a1

      SHA1

      6bd1067da05ffb76da096a36d437bff43d9b21ee

      SHA256

      5546675c88001e84e03116df7c3add5d099bcefc35437ff021adaf79a9fe76f4

      SHA512

      6ba114f643ef1860be11eb7419513cfbff2d91383012ee8273a115cc600d3ab0d2610b2a7f90d6b90cc542364c63958437ebbde8f98582ad0519b275a9d5d4b0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      50a712ebb50adf5b55da399bfb9d47bd

      SHA1

      cd47c9e8ce59255e02c6ed44c021d2b3f8497b6b

      SHA256

      b2f58b6e524b0890d272e6167760f4f057641cd9b0047d151123884c1ba032cb

      SHA512

      77c6c28570bcf144a9a00044a0425029ffd0d493c01f545e86a1437b6355c6b4c30ecc068c9d59c4ef9bfa975cb9a4a7bd243dce2a90092952ed0eaf1fdaebf2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ebeb075fa6011f871630fcd303a39077

      SHA1

      69e6c8917f7de74749874d88abf392cbdcd0920f

      SHA256

      1455e184eff75cf498c5184e46fc37492ce958dcab0a9e483cf6029cf6f5c774

      SHA512

      374ffe92631968a60d6695437962b08ee52844ff2337aa2c7b9c877f1268395cae30812bf87e7eb9a9e9001d55a71f84628b6db7fee9696fb45d6247b549ba16

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      bcdf560d2a6f9f30c0fea879369c170b

      SHA1

      614d29319614d532b4591b8d5590700f5c5e21df

      SHA256

      dbff87b9f540f98efdf50b59e61f7cbbcace1ca3501ab2260a6fd8ba7531876e

      SHA512

      db6ab645cbbdff5489d3b04878f254d732dcd920fdc81eb3e679abf64280c0926a117b2e0f7982323cef07d63f142befc1fa9c96af0bfbb01fdf8bc94eb86cc3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e2169aae486043dceb84bddee9291032

      SHA1

      6eeeeac0717aa5aaeb79ea0ca82c5accb3bc3750

      SHA256

      574f2f0371552b7693c355c8c57e37d72c0430c7f761ff2aaea3e83a61626730

      SHA512

      8b0609224dc8e9cb784164ff24006e85d41c25b8335f0ea80752df02ca0e896e5b34ba4b5d036288fef19f5f0b5e8a6fe7809bc395eef4fbab6d8cdd9ecf4240

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7e1052ad80bfd8035c6a7d7878d4f802

      SHA1

      b985b4dcf0e8aaf7731b03ea6739f4dfc9cbb396

      SHA256

      4ab18407019ecabb0bc31c9c47f7f1f067fa47c9e694d18eeee1e40faeda62d5

      SHA512

      881167c2c2ab1dfd8d9403b9fe90fbeffa4a728dae27d00f8fc11ac5322e36f42efa099c621890badcb782abc2335d49fc56a083fb0fda96e0221702c7489977

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      85cb9f14500e3e5ffb893e21cac85e29

      SHA1

      2552b3e3eabe6f3bcb75e748aaea0c8ebccbba0c

      SHA256

      903e92ea5f46896906734ec613f3da97ef94bd78b6aa0588ac314d38f2ccdf3c

      SHA512

      5f592968627f27cba0c6849d1007ba30fac912a5bf29783975c53b65d5f40d722d2ea9c0f3d21bcf73d0664d4aa766a8ec3a09c9268a579a2ab8db8f25545e85

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d26627ba5ea8a606040cd11b6bb01506

      SHA1

      ccc022f26ced2ea37388d2aeb8e1f653f00c3ecf

      SHA256

      2a9b4aa51aad7a69b756559e75e017686c1e4658b49a4254a1574212028b6d17

      SHA512

      ff9e22484c8a081c5e3b6ce8432fbc1d9a24455e7cd345d8775cbedff5cd3294c0a829a7142eb3933d3e8dd0fcc24c94aeb568d3a13a3e3fc60286e8c269bb3f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ac5e639362fa4f5bd91370257d8da199

      SHA1

      403ce464be6c1155128397f4df4438e8814d8ca2

      SHA256

      5d87b8065a6158a236bd84acff6ba1a098c37db3ff204930b8c94d4d2acb67fc

      SHA512

      ee3b8efad614ad019269324720e502f0f33147787cb9967c3f89cbb928d0450bf146066bdfff32a6524f2415a2ca7d82f68be7033bb376db37f6cf614657732a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3ab7f715e81d80312777d16ef753a709

      SHA1

      fcda373ab158cc9690b10eaa6697e9c72cb74229

      SHA256

      688b4095a51aa2b37696965646d856354274286b7165ff98c16b4484086001fd

      SHA512

      6e773dd190dee3732db3346f9811e7be21e9c93f6956a8eecd7648c2cd718d3bb7fd126b57355e6bf736e12533782b8d209fb0b28535c3ec83462edcb82970f0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3435448d1b748ff5b4e607ecd07bbc66

      SHA1

      eb93f729b945a7a3ad3ca07b953c65f8ceb77259

      SHA256

      5403d933e30a90c176105a783a23f278f4262ccbac93a6e136405b05cfa7087a

      SHA512

      f48ed59a3fc240c29041604cf2f4b24b385a68d4938891458e705cb50e0ff0129f8bfbbb8f1dae0f9bfbcb33aefe0147ba83e5895476f07b033a4f5d66348bb2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1990ddb0e56932067ea6a7d268ad08d3

      SHA1

      4fea2acb47000dd399f5d064cefedb9461d81778

      SHA256

      f30f2371e38ba644695564f6e579b4c7ea1f1113d99e7e0202144e92e038d568

      SHA512

      a213fb201067370cf4a087da998e02649e05e4016672733b0e05feaef0eae3906849b0f6f118578ed0110256bf1757f85edd5f6c34baf426b75a2646f1bf79d6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      97d97b3e4fec04589c891df6f6246d33

      SHA1

      5f2f5eb4a027ab13c1a5708f625ba540b576e50e

      SHA256

      c14c7f8251e55b8a3dfb0f00a92af1a1b993a4a520f26a7e144f6b50720c2964

      SHA512

      7735cc21770d1ee1f62edc00fd72bc8c9eba40120ebe9d7d8cfa2ade6764573da55e63242dd3586d442b8dfcc4fa822fcb25a8755a5e3e010e9e7f3c5aa3f7e5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b264dbf1ca138123d6e2fb3368e79cc8

      SHA1

      1f40604eb7460d5cd9a59f996faeffba9667e121

      SHA256

      31a5078f05b337972a5df93293161d8d7bd2ef1fda0485aedf312c58385c876c

      SHA512

      44e9a1e318334e5d6ccc01c1da8ef0bfdcfa493d0c3e60cc0020403358063740918c4469307aee4a46e335ae8de7d21f8863218e2311781324fc93bbdbc9f8aa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      bc4243fea0253151099ac72eecfffbf0

      SHA1

      a61cfc27b129ee83b0d69fb5480e17024834ccc0

      SHA256

      a136905f31d3e719c03d26742cb97eba054ff7266e18119f2e239403c537f2a0

      SHA512

      78069ab42923d91bda4704f693e7b573c519ed8cc74a107b5aac2acdba4ea6982c0e68a6643391aa5bcb33e2c6e82b9f25d15b64618a5d6916a156cfd53faae5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      cbec0059e6a2a1054e46c8d970f760b7

      SHA1

      aeaf08cc72b2f9b631363d5cdcc5ecd170fd14e4

      SHA256

      6ab6833b6f30683d73444807706986680d508fbfa6a7f1b31c2c20e4104e01a6

      SHA512

      856bc46d0ffa5c903781687068dadf2117162766638c5e9b3e799647de8456822f0ec159eed1d683aea90fbd5f132c0b3daaf647ab32e9717acfdc74fef85e52

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabD5E7.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarD6C5.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\BootstraperRunmethenopenMoon.exe
      Filesize

      78KB

      MD5

      be484423fb9da2ded0ce793764f37802

      SHA1

      911dfe225fb915847f497588a201db06e2fd787f

      SHA256

      aff38167e9c702dab38347e95973ae16fa21b23f9bfa5874bf3f9b269e6a4b3a

      SHA512

      a17a457d8d2f2a5bac799e3191c76d14fc955e9d95af2dc938a92b2bb668c97221aa87915c1e9fb65ad557e1cb3e8e41d6e0542b6853f78fb11331f32022746c

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MoonBETARUNBOOT.exe
      Filesize

      135KB

      MD5

      2f4a9e448314620c6395ffeb7b2badf2

      SHA1

      45649c5a62007d47c90ddaa072ba746f04e5fb9b

      SHA256

      23fa7314c51fccaac9a9e79a67951194379ba785f1ef6b3932daa0ad62455eab

      SHA512

      fe882ecb71ab4b2d5ae00ba3cb8ee4e1b1d3f5cfc08ac3bbeb0360b55718f5433a96d1588be792efd0688e8855a3a593d0c79234e4e0eca95ba0bad9bc8530c0

      Download Submit