Dataprise Defense Digest: Moonrise Remote Access Trojan

Threat Name: Moonrise RAT (Go-based Remote Access Trojan)

Severity Level: High

Executive Summary

Moonrise is a Go-based Remote Access Trojan (RAT) observed in a sandbox detonation exhibiting classic foothold behavior: it runs a masqueraded payload (svchost.exe) from a user-writable Temp directory, establishes persistence via a Startup VBS script, and shows indicators consistent with remote-access/C2-style communications. If executed in a corporate environment, this method can enable interactive remote control, follow-on payload delivery, credential/data access, and long-term persistence.

Details

Analysis of moonrise-client.exe in ANY.RUN recorded:

• Payload staging & masquerading: execution of svchost.exe from …\AppData\Local\Temp\WindowsServices\svchost.exe (non-standard location for legitimate Windows svchost.exe).
• Persistence: a Startup item WindowsService.vbs written to …\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsService.vbs, enabling relaunch at user logon.
• Sample identification: the sandbox report lists the analyzed sample SHA-256 and flags malicious activity.

Impact

If Moonrise executes on a production endpoint, likely impacts include unauthorized remote access, persistence across logons, and follow-on actions commonly associated with RATs (operator-driven command execution, credential/data collection, and additional payload delivery).

Mitigation Strategies

Hunt and alert in security tools for the high-signal chain:

• svchost.exe executing from …\AppData\Local\Temp\WindowsServices\
• Creation of …\Startup\WindowsService.vbs
• Any suspicious outbound connections from the same process lineage.
• Contain affected hosts: isolate endpoints that match the indicators and preserve evidence (hashes, command lines, parent process lineage).
• Eradicate persistence: remove WindowsService.vbs from Startup and remove the dropped Temp payload(s) after evidence collection.
• Post-execution response: if internal execution is confirmed, reset credentials used on impacted hosts and review authentication telemetry for follow-on access (standard RAT response practice).

Key Indicators

File/Path Indicators (Windows)

• C:\Users\<user>\AppData\Local\Temp\WindowsServices\svchost.exe
• C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsService.vbs

Sample / Hashes (SHA-256)

• ED5471D42BEF6B32253E9C1ABA49B01B8282FD096AD0957ABCF1A1E27E8F7551

Associated names (as observed in reporting / analysis)

• moonrise-client.exe (sample name used in sandbox context)
• Moonrise (family naming used in ANY.RUN public reporting)

Sources

• ANY.RUN sandbox report (task: d3e5e733-3b0d-4cf7-a7a8-ea1553cd16b9): https://any.run/report/ed5471d42bef6b32253e9c1aba49b01b8282fd096ad0957abcf1a1e27e8f7551/d3e5e733-3b0d-4cf7-a7a8-ea1553cd16b9
• ANY.RUN LinkedIn post introducing the Moonrise naming: https://www.linkedin.com/posts/any-run_moonrise-anyrun-anyrun-activity-7429889782744338432-m2TU
• PCRisk background description (Moonrise as Go-based RAT): https://www.pcrisk.com/removal-guides/34973-moonrise-rat
• Malwarebytes RAT overview (general RAT impact/response context): https://www.malwarebytes.com/blog/threats/remote-access-trojan-rat

Contributing Author:

Jason Law: Cybersecurity Analyst, Dataprise