SYMBOLCOMMON_NAMEaka. SYNONYMS
win.moontag (Back to overview)

MOONTAG

VTCollection    

The malware, potentially named "MOON_TAG" by its developer as indicated by the strings within, is derived from code shared in a Google Group (https://groups.google.com/g/ph4nt0m/c/2J3_1XPeKD8/m/AYPoWudRcTAJ?pli=1). Each variant discovered possesses capabilities to communicate via the Microsoft Graph API. At this moment, it appears to be in development.

References
2024-08-07SymantecThreat Hunter Team
Cloud Cover: How Malicious Actors Are Leveraging Cloud Services
GoGra Grager MOONTAG Ondritols TONERJAM
Yara Rules
[TLP:WHITE] win_moontag_auto (20260504 | Detects win.moontag.)
rule win_moontag_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.moontag."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moontag"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7408 488d58ff 48895db8 4885f6 7407 }
            // n = 5, score = 200
            //   7408                 | xor                 edx, edx
            //   488d58ff             | dec                 ecx
            //   48895db8             | cmp                 eax, eax
            //   4885f6               | dec                 esp
            //   7407                 | mov                 eax, dword ptr [edi + 0x18]

        $sequence_1 = { 4d85c0 7454 4885d2 744f 41f7401800020000 750f 498b4838 }
            // n = 7, score = 200
            //   4d85c0               | dec                 esp
            //   7454                 | cmovb               edi, eax
            //   4885d2               | dec                 ebp
            //   744f                 | cmp                 edi, esi
            //   41f7401800020000     | je                  0xa
            //   750f                 | dec                 eax
            //   498b4838             | lea                 ebx, [eax - 1]

        $sequence_2 = { 0f8396010000 4c8b4210 48ffc0 48894218 }
            // n = 4, score = 200
            //   0f8396010000         | jae                 0x19c
            //   4c8b4210             | dec                 esp
            //   48ffc0               | mov                 eax, dword ptr [edx + 0x10]
            //   48894218             | dec                 eax

        $sequence_3 = { 488bf2 488bf9 4885c9 0f8494000000 4885d2 0f848b000000 48895c2430 }
            // n = 7, score = 200
            //   488bf2               | dec                 eax
            //   488bf9               | mov                 dword ptr [ebp - 0x48], ebx
            //   4885c9               | dec                 eax
            //   0f8494000000         | test                esi, esi
            //   4885d2               | je                  0x14
            //   0f848b000000         | dec                 ebp
            //   48895c2430           | test                eax, eax

        $sequence_4 = { 7708 0fb6c1 8d48c9 eb11 8d419f 3c05 0f87ef000000 }
            // n = 7, score = 200
            //   7708                 | ja                  0xa
            //   0fb6c1               | movzx               eax, cl
            //   8d48c9               | lea                 ecx, [eax - 0x37]
            //   eb11                 | jmp                 0x13
            //   8d419f               | lea                 eax, [ecx - 0x61]
            //   3c05                 | cmp                 al, 5
            //   0f87ef000000         | ja                  0xf5

        $sequence_5 = { 81c7204e0000 833d????????00 758a b801000000 488b8c2430010000 4833cc e8???????? }
            // n = 7, score = 200
            //   81c7204e0000         | inc                 eax
            //   833d????????00       |                     
            //   758a                 | dec                 eax
            //   b801000000           | mov                 dword ptr [edx + 0x18], eax
            //   488b8c2430010000     | add                 edi, 0x4e20
            //   4833cc               | jne                 0xffffff92
            //   e8????????           |                     

        $sequence_6 = { 7f13 0f8cff040000 0fb744244c 3bc2 0f8cf2040000 33d2 }
            // n = 6, score = 200
            //   7f13                 | mov                 eax, 1
            //   0f8cff040000         | dec                 eax
            //   0fb744244c           | mov                 ecx, dword ptr [esp + 0x130]
            //   3bc2                 | dec                 eax
            //   0f8cf2040000         | xor                 ecx, esp
            //   33d2                 | jg                  0x15

        $sequence_7 = { 493bc0 4c8b4718 4c0f42f8 4d3bfe }
            // n = 4, score = 200
            //   493bc0               | jl                  0x505
            //   4c8b4718             | movzx               eax, word ptr [esp + 0x4c]
            //   4c0f42f8             | cmp                 eax, edx
            //   4d3bfe               | jl                  0x505

        $sequence_8 = { 03c1 68???????? 50 ffd3 83c40c 85c0 }
            // n = 6, score = 100
            //   03c1                 | add                 eax, ecx
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax

        $sequence_9 = { 03c2 3bf8 0f838f010000 8b0d???????? }
            // n = 4, score = 100
            //   03c2                 | add                 eax, edx
            //   3bf8                 | cmp                 edi, eax
            //   0f838f010000         | jae                 0x195
            //   8b0d????????         |                     

        $sequence_10 = { 03c1 3bf8 0f42f8 33c9 8bc7 83c001 56 }
            // n = 7, score = 100
            //   03c1                 | add                 eax, ecx
            //   3bf8                 | cmp                 edi, eax
            //   0f42f8               | cmovb               edi, eax
            //   33c9                 | xor                 ecx, ecx
            //   8bc7                 | mov                 eax, edi
            //   83c001               | add                 eax, 1
            //   56                   | push                esi

        $sequence_11 = { 033d???????? 837d8400 0f4e3d???????? 83c734 }
            // n = 4, score = 100
            //   033d????????         |                     
            //   837d8400             | cmp                 dword ptr [ebp - 0x7c], 0
            //   0f4e3d????????       |                     
            //   83c734               | add                 edi, 0x34

        $sequence_12 = { 03c1 50 898570ecffff 8d8574ecffff }
            // n = 4, score = 100
            //   03c1                 | add                 eax, ecx
            //   50                   | push                eax
            //   898570ecffff         | mov                 dword ptr [ebp - 0x1390], eax
            //   8d8574ecffff         | lea                 eax, [ebp - 0x138c]

        $sequence_13 = { 03c1 8b0d???????? a3???????? 3bc1 }
            // n = 4, score = 100
            //   03c1                 | add                 eax, ecx
            //   8b0d????????         |                     
            //   a3????????           |                     
            //   3bc1                 | cmp                 eax, ecx

        $sequence_14 = { 014e08 b801000000 5f 5e 5b 8b4c2458 }
            // n = 6, score = 100
            //   014e08               | add                 dword ptr [esi + 8], ecx
            //   b801000000           | mov                 eax, 1
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8b4c2458             | mov                 ecx, dword ptr [esp + 0x58]

        $sequence_15 = { 03421c 03c6 3bc8 760c }
            // n = 4, score = 100
            //   03421c               | add                 eax, dword ptr [edx + 0x1c]
            //   03c6                 | add                 eax, esi
            //   3bc8                 | cmp                 ecx, eax
            //   760c                 | jbe                 0xe

    condition:
        7 of them and filesize < 203776
}
Download all Yara Rules