SYMBOLCOMMON_NAMEaka. SYNONYMS
win.microcin (Back to overview)

Microcin


There is no description at this point.

References
2021-03-10ESET ResearchThomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020-06-19Kaspersky LabsDenis Legezo
@online{legezo:20200619:microcin:c832dc1, author = {Denis Legezo}, title = {{Microcin is here}}, date = {2020-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/microcin-is-here/97353}, language = {English}, urldate = {2022-07-25} } Microcin is here
Microcin Vicious Panda
2020-06-19Kaspersky LabsDenis Legezo
@online{legezo:20200619:microcin:122f2ca, author = {Denis Legezo}, title = {{Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock}}, date = {2020-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/microcin-is-here/97353/}, language = {English}, urldate = {2020-06-21} } Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock
Microcin
2020-05-18Github (dlegezo)Denis Legezo
@online{legezo:20200518:microcin:b3147b6, author = {Denis Legezo}, title = {{Microcin Decryptor}}, date = {2020-05-18}, organization = {Github (dlegezo)}, url = {https://github.com/dlegezo/common}, language = {English}, urldate = {2020-05-19} } Microcin Decryptor
Microcin
2020-05-14Avast DecodedLuigino Camastra
@online{camastra:20200514:planted:7b94cc6, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia}, language = {English}, urldate = {2022-07-25} } APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Ghost RAT Microcin MimiKatz Vicious Panda
2020-05-14ESET ResearchPeter Kálnai
@online{klnai:20200514:mikroceen:3e541ad, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia}, language = {English}, urldate = {2022-07-25} } Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
Microcin Vicious Panda
2020-05-14Avast DecodedLuigino Camastra
@online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Microcin
2020-05-14ESET ResearchPeter Kálnai
@online{klnai:20200514:mikroceen:b259a8c, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/}, language = {English}, urldate = {2020-05-14} } Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
BYEBY Microcin
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2017-11-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@techreport{berdnikov:20171125:microcin:69e0ae0, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE}}, date = {2017-11-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf}, language = {English}, urldate = {2020-04-06} } MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE
Microcin Vicious Panda
2017-09-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@online{berdnikov:20170925:simple:fced582, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636}, language = {English}, urldate = {2022-08-26} } A simple example of a complex cyberattack
Microcin Vicious Panda
2017-09-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@online{berdnikov:20170925:simple:62b80bb, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/}, language = {English}, urldate = {2019-12-20} } A simple example of a complex cyberattack
Microcin
Yara Rules
[TLP:WHITE] win_microcin_auto (20230715 | Detects win.microcin.)
rule win_microcin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.microcin."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bcb ff15???????? 488b8db0010000 4833cc e8???????? 488b9c24d8020000 4881c4c0020000 }
            // n = 7, score = 400
            //   488bcb               | push                eax
            //   ff15????????         |                     
            //   488b8db0010000       | lea                 eax, [ebp - 0x108]
            //   4833cc               | push                eax
            //   e8????????           |                     
            //   488b9c24d8020000     | push                esi
            //   4881c4c0020000       | test                eax, eax

        $sequence_1 = { ff15???????? 85c0 7426 8b400c }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   85c0                 | mov                 ecx, ebp
            //   7426                 | dec                 esp
            //   8b400c               | lea                 eax, [0x112b7]

        $sequence_2 = { 50 6805100000 68ffff0000 56 8b35???????? ffd6 6a04 }
            // n = 7, score = 400
            //   50                   | push                1
            //   6805100000           | or                  ecx, 4
            //   68ffff0000           | mov                 dword ptr [ebp - 0x10], ecx
            //   56                   | mov                 edx, dword ptr [ebp - 0x10]
            //   8b35????????         |                     
            //   ffd6                 | shr                 edx, 1
            //   6a04                 | mov                 dword ptr [ebp - 0x10], edx

        $sequence_3 = { 48895c2410 55 488dac2440feffff 4881ecc0020000 }
            // n = 4, score = 400
            //   48895c2410           | push                0x104
            //   55                   | push                eax
            //   488dac2440feffff     | lea                 eax, [ebp - 0x108]
            //   4881ecc0020000       | lea                 eax, [ebp - 0x54]

        $sequence_4 = { ff15???????? 8b3d???????? 8d85e0feffff 50 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   8d85e0feffff         | mov                 esi, eax
            //   50                   | test                esi, esi

        $sequence_5 = { 488903 48894308 488b0d???????? ff15???????? 4885c0 }
            // n = 5, score = 400
            //   488903               | push                eax
            //   48894308             | push                0x80000001
            //   488b0d????????       |                     
            //   ff15????????         |                     
            //   4885c0               | add                 esp, 0xc

        $sequence_6 = { ff15???????? 8b1d???????? 8d85a8feffff 50 ffd3 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   8b1d????????         |                     
            //   8d85a8feffff         | mov                 dword ptr [esp + 0x3c], 0
            //   50                   | test                ax, ax
            //   ffd3                 | je                  0x4e

        $sequence_7 = { ff15???????? 488d4d90 ff15???????? 4863c8 807c0d8f5c 7412 488d4d90 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   488d4d90             | cmovne              esi, edi
            //   ff15????????         |                     
            //   4863c8               | lea                 eax, [ebp - 0x54]
            //   807c0d8f5c           | push                eax
            //   7412                 | push                0x80000001
            //   488d4d90             | test                eax, eax

        $sequence_8 = { ff15???????? 4863c8 c6840d8002000076 488d8d80020000 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   4863c8               | test                eax, eax
            //   c6840d8002000076     | je                  0x2a
            //   488d8d80020000       | mov                 eax, dword ptr [eax + 0xc]

        $sequence_9 = { 41c7868400000004000000 4533c9 33d2 498d4e70 ff15???????? 85c0 }
            // n = 6, score = 400
            //   41c7868400000004000000     | lea    eax, [ebp - 0x108]
            //   4533c9               | push                0x104
            //   33d2                 | push                eax
            //   498d4e70             | lea                 eax, [ebp - 0x108]
            //   ff15????????         |                     
            //   85c0                 | jle                 0x1a

        $sequence_10 = { 488d4d71 4803c8 e8???????? 418907 }
            // n = 4, score = 400
            //   488d4d71             | cmp                 byte ptr [ebp + esi - 0x158], 0x3a
            //   4803c8               | je                  0x29
            //   e8????????           |                     
            //   418907               | lea                 eax, [ebp - 0x158]

        $sequence_11 = { 56 ff15???????? 85c0 0f45f7 }
            // n = 4, score = 400
            //   56                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [ebp - 0x364], edx
            //   0f45f7               | mov                 dword ptr [ebp - 0x360], 0

        $sequence_12 = { 8d45ac 50 6801000080 ff15???????? 85c0 }
            // n = 5, score = 400
            //   8d45ac               | mov                 eax, dword ptr [ebp - 0x360]
            //   50                   | test                eax, eax
            //   6801000080           | jbe                 0x49
            //   ff15????????         |                     
            //   85c0                 | dec                 ecx

        $sequence_13 = { c744244c7246316b e8???????? 488bc6 488b8df0040000 4833cc e8???????? 4881c400060000 }
            // n = 7, score = 400
            //   c744244c7246316b     | inc                 esi
            //   e8????????           |                     
            //   488bc6               | push                eax
            //   488b8df0040000       | call                ebx
            //   4833cc               | push                eax
            //   e8????????           |                     
            //   4881c400060000       | push                esi

        $sequence_14 = { 50 ffd3 85c0 7e18 }
            // n = 4, score = 400
            //   50                   | mov                 dword ptr [ecx + 0x28], eax
            //   ffd3                 | mov                 edx, dword ptr [ebp - 8]
            //   85c0                 | cmp                 dword ptr [edx + 0x28], 0
            //   7e18                 | add                 ecx, 4

        $sequence_15 = { 8d85f8feffff 6804010000 50 ff15???????? 8d85f8feffff 50 }
            // n = 6, score = 400
            //   8d85f8feffff         | mov                 eax, dword ptr [ebp - 0x2088]
            //   6804010000           | mov                 esi, dword ptr [ebp - 0x2088]
            //   50                   | imul                esi, dword ptr [ecx + eax*4]
            //   ff15????????         |                     
            //   8d85f8feffff         | add                 edx, esi
            //   50                   | mov                 ecx, dword ptr [ebp - 8]

        $sequence_16 = { 636373 7673 6873742e65 7865 }
            // n = 4, score = 200
            //   636373               | int3                
            //   7673                 | dec                 esp
            //   6873742e65           | lea                 eax, [0x1126c]
            //   7865                 | jbe                 0x6b

        $sequence_17 = { 8b8578dfffff 8bb578dfffff 0faf3481 03d6 }
            // n = 4, score = 200
            //   8b8578dfffff         | cli                 
            //   8bb578dfffff         | cli                 
            //   0faf3481             | cli                 
            //   03d6                 | dec                 ecx

        $sequence_18 = { 6828010000 8d85ccfeffff 6a00 50 }
            // n = 4, score = 200
            //   6828010000           | jbe                 0x6b
            //   8d85ccfeffff         | jb                  0x73
            //   6a00                 | outsb               dx, byte ptr [esi]
            //   50                   | insd                dword ptr es:[edi], dx

        $sequence_19 = { 83c104 8b957cffffff 898c9578feffff 8b857cffffff 8b4c8584 }
            // n = 5, score = 200
            //   83c104               | cli                 
            //   8b957cffffff         | cli                 
            //   898c9578feffff       | cli                 
            //   8b857cffffff         | cli                 
            //   8b4c8584             | cli                 

        $sequence_20 = { 488bcd e8???????? 85c0 751a 488d15f8110100 41b810200100 }
            // n = 6, score = 200
            //   488bcd               | dec                 eax
            //   e8????????           |                     
            //   85c0                 | sub                 esp, 0x20
            //   751a                 | mov                 ebx, ecx
            //   488d15f8110100       | dec                 eax
            //   41b810200100         | lea                 ecx, [0x10c95]

        $sequence_21 = { 488d15730c0100 488bc8 ff15???????? 4885c0 7404 }
            // n = 5, score = 200
            //   488d15730c0100       | inc                 ecx
            //   488bc8               | mov                 ecx, 3
            //   ff15????????         |                     
            //   4885c0               | dec                 eax
            //   7404                 | lea                 ecx, [ebp + eax*2 - 0x44]

        $sequence_22 = { ff15???????? 418d7c24e7 85c0 752a 4c8d0502130100 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   418d7c24e7           | inc                 ecx
            //   85c0                 | lea                 edi, [esp - 0x19]
            //   752a                 | test                eax, eax
            //   4c8d0502130100       | jne                 0x2c

        $sequence_23 = { fa fa fa fa }
            // n = 4, score = 200
            //   fa                   | lea                 ecx, [0x10c95]
            //   fa                   | dec                 eax
            //   fa                   | test                eax, eax
            //   fa                   | je                  0x1e

        $sequence_24 = { 7669 726f 6e 6d 656e 7400 }
            // n = 6, score = 200
            //   7669                 | mov                 ecx, 3
            //   726f                 | dec                 eax
            //   6e                   | lea                 ecx, [ebp + eax*2 - 0x44]
            //   6d                   | dec                 eax
            //   656e                 | mov                 eax, ecx
            //   7400                 | dec                 eax

        $sequence_25 = { 53 53 56 43 }
            // n = 4, score = 200
            //   53                   | lea                 eax, [0x11302]
            //   53                   | mov                 edx, edi
            //   56                   | dec                 ecx
            //   43                   | mov                 ecx, ebp

        $sequence_26 = { 3d01010000 7d0d 8a4c181c 888818384100 40 ebe9 }
            // n = 6, score = 200
            //   3d01010000           | push                ebx
            //   7d0d                 | push                esi
            //   8a4c181c             | inc                 ebx
            //   888818384100         | dec                 ecx
            //   40                   | push                ebx
            //   ebe9                 | push                ebx

        $sequence_27 = { 7370 696465726167656e 742e 657865 }
            // n = 4, score = 200
            //   7370                 | lea                 edx, [0x10c73]
            //   696465726167656e     | dec                 eax
            //   742e                 | mov                 ecx, eax
            //   657865               | dec                 eax

        $sequence_28 = { 488d15f8110100 41b810200100 488bcd e8???????? e9???????? 4533c9 }
            // n = 6, score = 200
            //   488d15f8110100       | test                eax, eax
            //   41b810200100         | jne                 0x2c
            //   488bcd               | dec                 esp
            //   e8????????           |                     
            //   e9????????           |                     
            //   4533c9               | lea                 eax, [0x11302]

        $sequence_29 = { 4c8d0502130100 8bd7 498bcd e8???????? 85c0 7415 }
            // n = 6, score = 200
            //   4c8d0502130100       | dec                 esp
            //   8bd7                 | lea                 eax, [0x112b7]
            //   498bcd               | inc                 ecx
            //   e8????????           |                     
            //   85c0                 | mov                 ecx, 3
            //   7415                 | dec                 eax

        $sequence_30 = { e8???????? 4c8d05b7120100 41b903000000 488d4c45bc 488bc1 492bc5 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   4c8d05b7120100       | dec                 eax
            //   41b903000000         | lea                 edx, [0x111f8]
            //   488d4c45bc           | inc                 ecx
            //   488bc1               | mov                 eax, 0x12010
            //   492bc5               | dec                 eax

        $sequence_31 = { 0fb645fb 99 b903000000 f7f9 83fa01 7510 }
            // n = 6, score = 200
            //   0fb645fb             | outsb               dx, byte ptr gs:[esi]
            //   99                   | je                  0xa
            //   b903000000           | outsb               dx, byte ptr [esi]
            //   f7f9                 | insd                dword ptr es:[edi], dx
            //   83fa01               | outsb               dx, byte ptr gs:[esi]
            //   7510                 | je                  5

        $sequence_32 = { 4883ec20 8bd9 488d0d950c0100 ff15???????? 4885c0 }
            // n = 5, score = 200
            //   4883ec20             | lea                 ecx, [ebp + eax*2 - 0x44]
            //   8bd9                 | dec                 eax
            //   488d0d950c0100       | mov                 eax, ecx
            //   ff15????????         |                     
            //   4885c0               | dec                 ecx

        $sequence_33 = { 0f8563010000 8b5588 89957cffffff 8b8504ffffff 898574feffff 8b4d0c 8b91fc020000 }
            // n = 7, score = 200
            //   0f8563010000         | push                esi
            //   8b5588               | inc                 ebx
            //   89957cffffff         | outsb               dx, byte ptr [esi]
            //   8b8504ffffff         | jbe                 0x6b
            //   898574feffff         | jb                  0x73
            //   8b4d0c               | outsb               dx, byte ptr [esi]
            //   8b91fc020000         | insd                dword ptr es:[edi], dx

        $sequence_34 = { 8945fc 8b4dfc 030d???????? 894dfc 8b55fc 8b450c 8a08 }
            // n = 7, score = 200
            //   8945fc               | jb                  0x71
            //   8b4dfc               | outsb               dx, byte ptr [esi]
            //   030d????????         |                     
            //   894dfc               | insd                dword ptr es:[edi], dx
            //   8b55fc               | outsb               dx, byte ptr gs:[esi]
            //   8b450c               | je                  6
            //   8a08                 | push                ebx

        $sequence_35 = { ff15???????? 4885c0 7419 488d15730c0100 488bc8 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   4885c0               | dec                 ecx
            //   7419                 | mov                 ecx, ebp
            //   488d15730c0100       | test                eax, eax
            //   488bc8               | je                  0x1e

        $sequence_36 = { 8b4df8 e8???????? 68???????? 6a01 }
            // n = 4, score = 200
            //   8b4df8               | push                ebx
            //   e8????????           |                     
            //   68????????           |                     
            //   6a01                 | push                ebx

        $sequence_37 = { 6a00 ff15???????? 8b4df8 894128 8b55f8 837a2800 }
            // n = 6, score = 200
            //   6a00                 | cli                 
            //   ff15????????         |                     
            //   8b4df8               | cli                 
            //   894128               | cli                 
            //   8b55f8               | cli                 
            //   837a2800             | cli                 

        $sequence_38 = { ff15???????? 8d85d4f4ffff 50 ff15???????? 6804010000 8d85f0feffff 6a00 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8d85d4f4ffff         | mov                 edx, dword ptr [ebp - 0x78]
            //   50                   | mov                 dword ptr [ebp - 0x84], edx
            //   ff15????????         |                     
            //   6804010000           | mov                 eax, dword ptr [ebp - 0xfc]
            //   8d85f0feffff         | mov                 dword ptr [ebp - 0x18c], eax
            //   6a00                 | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_39 = { 8b4804 0fb74906 83e902 6bc928 034808 56 }
            // n = 6, score = 100
            //   8b4804               | jb                  0x73
            //   0fb74906             | outsb               dx, byte ptr [esi]
            //   83e902               | insd                dword ptr es:[edi], dx
            //   6bc928               | outsb               dx, byte ptr gs:[esi]
            //   034808               | je                  0xa
            //   56                   | arpl                word ptr [ebx + 0x73], sp

        $sequence_40 = { ff15???????? e9???????? 68???????? 8d45dc 50 ff15???????? e9???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   e9????????           |                     
            //   68????????           |                     
            //   8d45dc               | push                4
            //   50                   | xor                 esi, esi
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_41 = { c785b4feffff00000000 ff15???????? 50 56 ff15???????? }
            // n = 5, score = 100
            //   c785b4feffff00000000     | mov    ecx, dword ptr [eax + 4]
            //   ff15????????         |                     
            //   50                   | movzx               ecx, word ptr [ecx + 6]
            //   56                   | sub                 ecx, 2
            //   ff15????????         |                     

        $sequence_42 = { 89c1 e8???????? 894510 8b4510 }
            // n = 4, score = 100
            //   89c1                 | cli                 
            //   e8????????           |                     
            //   894510               | cli                 
            //   8b4510               | cli                 

        $sequence_43 = { 895d08 52 53 41 }
            // n = 4, score = 100
            //   895d08               | jb                  0x71
            //   52                   | outsb               dx, byte ptr [esi]
            //   53                   | insd                dword ptr es:[edi], dx
            //   41                   | outsb               dx, byte ptr gs:[esi]

        $sequence_44 = { 4c 89e9 48 89f2 4c 89b6a8000000 }
            // n = 6, score = 100
            //   4c                   | je                  8
            //   89e9                 | cli                 
            //   48                   | cli                 
            //   89f2                 | cli                 
            //   4c                   | cli                 
            //   89b6a8000000         | cli                 

        $sequence_45 = { c744243c00000000 ff15???????? 6685c0 7441 6a00 56 }
            // n = 6, score = 100
            //   c744243c00000000     | imul                ecx, ecx, 0x28
            //   ff15????????         |                     
            //   6685c0               | add                 ecx, dword ptr [eax + 8]
            //   7441                 | push                esi
            //   6a00                 | pop                 ecx
            //   56                   | pop                 ecx

        $sequence_46 = { 8b803c010000 56 8945f4 8d451c 50 6a04 33f6 }
            // n = 7, score = 100
            //   8b803c010000         | outsb               dx, byte ptr gs:[esi]
            //   56                   | je                  0xa
            //   8945f4               | dec                 ecx
            //   8d451c               | push                ebx
            //   50                   | push                ebx
            //   6a04                 | push                esi
            //   33f6                 | jbe                 0x6b

        $sequence_47 = { 50 e8???????? 83c40c 8d442458 68???????? 50 }
            // n = 6, score = 100
            //   50                   | mov                 dword ptr [ebp - 4], eax
            //   e8????????           |                     
            //   83c40c               | mov                 ecx, dword ptr [ebp - 4]
            //   8d442458             | mov                 dword ptr [ebp - 4], ecx
            //   68????????           |                     
            //   50                   | mov                 edx, dword ptr [ebp - 4]

        $sequence_48 = { 1515151515 1515151011 12????????15 1515151515 1515151515 }
            // n = 5, score = 100
            //   1515151515           | test                eax, eax
            //   1515151011           | je                  0x6c
            //   12????????15         |                     
            //   1515151515           | mov                 ecx, dword ptr [esi + 0x10]
            //   1515151515           | add                 ecx, eax

        $sequence_49 = { 8bf0 85f6 0f8480000000 33c9 85f6 740a }
            // n = 6, score = 100
            //   8bf0                 | jge                 0x14
            //   85f6                 | mov                 cl, byte ptr [eax + ebx + 0x1c]
            //   0f8480000000         | mov                 byte ptr [eax + 0x413818], cl
            //   33c9                 | inc                 eax
            //   85f6                 | jmp                 0xfffffffd
            //   740a                 | jne                 0x169

    condition:
        7 of them and filesize < 417792
}
[TLP:WHITE] win_microcin_w0   (20170413 | Malware sample mentioned in Microcin technical report by Kaspersky)
import "pe"

rule win_microcin_w0 {
    meta:
        description = "Malware sample mentioned in Microcin technical report by Kaspersky"
        author = "Florian Roth"
        reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
        date = "2017-09-26"
        hash = "49816eefcd341d7a9c1715e1f89143862d4775ba4f9730397a1e8529f5f5e200"
        hash = "a73f8f76a30ad5ab03dd503cc63de3a150e6ab75440c1060d75addceb4270f46"
        hash = "9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_version = "20170413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "e Class Descriptor at (" fullword ascii
        $s2 = ".?AVCAntiAntiAppleFrameRealClass@@" fullword ascii
        $s3 = ".?AVCAntiAntiAppleFrameBaseClass@@" fullword ascii
        $s4 = ".?AVCAppleBinRealClass@@" fullword ascii
        $s5 = ".?AVCAppleBinBaseClass@@" fullword ascii
    condition:
        uint16(0) == 0x5a4d and filesize < 300KB and (4 of them or pe.imphash() == "897077ca318eaf629cfe74569f10e023")
}
Download all Yara Rules