SYMBOLCOMMON_NAMEaka. SYNONYMS
win.microbackdoor (Back to overview)

MicroBackdoor

Actor(s): Ghostwriter

VTCollection    

Open-source lightweight backdoor for C2 communication.
GitHub: https://github.com/Cr4sh/MicroBackdoor

References
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20MandiantMandiant Threat Intelligence
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-04-29AttackIQFrancis Guibernau, Jackson Wells
Attack Graph Response to UNC1151 Continued Targeting of Ukraine
MicroBackdoor
2022-04-07InQuestNick Chalard, Will MacArthur
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-14QianxinRed Raindrop Team
Analysis Of Attack Activities Of Suspected APT Organization UNC1151 Against Ukraine And Other Countries
MicroBackdoor
2022-03-08Cluster25Cluster25
GhostWriter / UNC1151 adopts MicroBackdoor Variants in Cyber Operations against Ukraine
MicroBackdoor
2022-03-07Cert-UACert-UA
UAC-0051 (UNC1151) Cyberattack on Ukrainian State Organizations Using MicroBackdoor Malware (CERT-UA#4109)
MicroBackdoor
2021-05-04Cr4sh
Cr4sh / MicroBackdoor : Small and convenient C2 tool for Windows targets
MicroBackdoor
Yara Rules
[TLP:WHITE] win_microbackdoor_auto (20260504 | Detects win.microbackdoor.)
rule win_microbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.microbackdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 ffd7 6810270000 ff15???????? }
            // n = 4, score = 100
            //   56                   | movzx               eax, word ptr [ecx + 0x1000101c]
            //   ffd7                 | mov                 word ptr [ebp + ecx - 0x444], ax
            //   6810270000           | add                 ecx, ebx
            //   ff15????????         |                     

        $sequence_1 = { 90 0fb7841120840000 488d4902 6689840dae010000 6685c0 75e7 0f1f8000000000 }
            // n = 7, score = 100
            //   90                   | test                ecx, ecx
            //   0fb7841120840000     | je                  0x94
            //   488d4902             | dec                 ecx
            //   6689840dae010000     | je                  0x74
            //   6685c0               | nop                 
            //   75e7                 | movzx               eax, word ptr [ecx + edx + 0x8420]
            //   0f1f8000000000       | dec                 eax

        $sequence_2 = { 8bec 83ec18 56 57 33c0 c745fc14000000 8d7de8 }
            // n = 7, score = 100
            //   8bec                 | test                ax, ax
            //   83ec18               | pop                 ebp
            //   56                   | ret                 
            //   57                   | push                ebp
            //   33c0                 | mov                 ebp, esp
            //   c745fc14000000       | push                dword ptr [ebp + 0xc]
            //   8d7de8               | push                eax

        $sequence_3 = { 5d c3 55 8bec ff750c ff15???????? 50 }
            // n = 7, score = 100
            //   5d                   | lea                 edx, [ebp + 0x110]
            //   c3                   | dec                 eax
            //   55                   | mov                 dword ptr [esp + 0x48], eax
            //   8bec                 | test                eax, eax
            //   ff750c               | jne                 0xc4
            //   ff15????????         |                     
            //   50                   | push                dword ptr [ebp + 0xc]

        $sequence_4 = { 0f84f1010000 0f1f00 8b8578020000 85c0 7548 488b4c2458 488d9568020000 }
            // n = 7, score = 100
            //   0f84f1010000         | nop                 dword ptr [eax]
            //   0f1f00               | dec                 eax
            //   8b8578020000         | mov                 ecx, dword ptr [esp + 0x30]
            //   85c0                 | jmp                 0x15
            //   7548                 | dec                 eax
            //   488b4c2458           | lea                 ecx, [0x498b]
            //   488d9568020000       | mov                 edx, eax

        $sequence_5 = { 4156 4881ec58020000 4c8bf1 ba0000a000 b940000000 ff15???????? }
            // n = 6, score = 100
            //   4156                 | inc                 ecx
            //   4881ec58020000       | push                esi
            //   4c8bf1               | dec                 eax
            //   ba0000a000           | sub                 esp, 0x258
            //   b940000000           | dec                 esp
            //   ff15????????         |                     

        $sequence_6 = { 8bce 0fb7811c100010 6689840dbcfbffff 03cb 6685c0 }
            // n = 5, score = 100
            //   8bce                 | inc                 ecx
            //   0fb7811c100010       | mov                 ecx, esi
            //   6689840dbcfbffff     | dec                 eax
            //   03cb                 | lea                 eax, [esp + 0x58]
            //   6685c0               | dec                 eax

        $sequence_7 = { ff750c 57 ff15???????? 57 ff7508 e8???????? }
            // n = 6, score = 100
            //   ff750c               | mov                 dword ptr [esp + 0x40], esp
            //   57                   | mov                 word ptr [esp + 0x42], ax
            //   ff15????????         |                     
            //   57                   | test                eax, eax
            //   ff7508               | jne                 0x368
            //   e8????????           |                     

        $sequence_8 = { 8bd0 e8???????? 33c0 4881c438010000 5b 5d c3 }
            // n = 7, score = 100
            //   8bd0                 | mov                 esi, ecx
            //   e8????????           |                     
            //   33c0                 | mov                 edx, 0xa00000
            //   4881c438010000       | mov                 ecx, 0x40
            //   5b                   | mov                 edx, eax
            //   5d                   | xor                 eax, eax
            //   c3                   | dec                 eax

        $sequence_9 = { 833f0a 7207 33c0 e9???????? 53 33db 56 }
            // n = 7, score = 100
            //   833f0a               | lea                 eax, [ebp - 4]
            //   7207                 | push                eax
            //   33c0                 | mov                 esi, eax
            //   e9????????           |                     
            //   53                   | test                esi, esi
            //   33db                 | push                esi
            //   56                   | call                edi

        $sequence_10 = { 33db 56 8b750c 43 85f6 0f84a9010000 }
            // n = 6, score = 100
            //   33db                 | push                0x2710
            //   56                   | mov                 ebp, esp
            //   8b750c               | sub                 esp, 0x18
            //   43                   | push                esi
            //   85f6                 | push                edi
            //   0f84a9010000         | xor                 eax, eax

        $sequence_11 = { 488b4c2430 ff15???????? eb0e 488d0d8b490000 8bd0 e8???????? }
            // n = 6, score = 100
            //   488b4c2430           | lea                 ecx, [ecx + 2]
            //   ff15????????         |                     
            //   eb0e                 | mov                 word ptr [ebp + ecx + 0x1ae], ax
            //   488d0d8b490000       | test                ax, ax
            //   8bd0                 | jne                 0xffffffe9
            //   e8????????           |                     

        $sequence_12 = { ff15???????? 488d442458 488d9510010000 4889442448 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488d442458           | dec                 eax
            //   488d9510010000       | mov                 ecx, dword ptr [esp + 0x58]
            //   4889442448           | dec                 eax

        $sequence_13 = { 8d45fc 50 ff15???????? 8b3d???????? 8bf0 85f6 }
            // n = 6, score = 100
            //   8d45fc               | push                edi
            //   50                   | push                edi
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   8bf0                 | push                dword ptr [ebp + 8]
            //   85f6                 | mov                 ecx, esi

        $sequence_14 = { 664489642440 6689442442 ff15???????? 85c0 0f855b030000 418bce }
            // n = 6, score = 100
            //   664489642440         | je                  0x1f7
            //   6689442442           | nop                 dword ptr [eax]
            //   ff15????????         |                     
            //   85c0                 | mov                 eax, dword ptr [ebp + 0x278]
            //   0f855b030000         | test                eax, eax
            //   418bce               | jne                 0x52

        $sequence_15 = { ff15???????? 8b4b34 85c9 0f848e000000 ffc9 746a }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8b4b34               | add                 esp, 0x138
            //   85c9                 | pop                 ebx
            //   0f848e000000         | pop                 ebp
            //   ffc9                 | ret                 
            //   746a                 | mov                 ecx, dword ptr [ebx + 0x34]

    condition:
        7 of them and filesize < 123904
}
Download all Yara Rules