SYMBOLCOMMON_NAMEaka. SYNONYMS
win.microcin (Back to overview)

Microcin


There is no description at this point.

References
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020-06-19Kaspersky LabsDenis Legezo
@online{legezo:20200619:microcin:122f2ca, author = {Denis Legezo}, title = {{Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock}}, date = {2020-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/microcin-is-here/97353/}, language = {English}, urldate = {2020-06-21} } Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock
Microcin
2020-05-18Github (dlegezo)Denis Legezo
@online{legezo:20200518:microcin:b3147b6, author = {Denis Legezo}, title = {{Microcin Decryptor}}, date = {2020-05-18}, organization = {Github (dlegezo)}, url = {https://github.com/dlegezo/common}, language = {English}, urldate = {2020-05-19} } Microcin Decryptor
Microcin
2020-05-14ESET ResearchPeter Kálnai
@online{klnai:20200514:mikroceen:b259a8c, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/}, language = {English}, urldate = {2020-05-14} } Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
BYEBY Microcin Microcin
2020-05-14Avast DecodedLuigino Camastra
@online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Microcin Microcin
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2017-11-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@techreport{berdnikov:20171125:microcin:69e0ae0, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE}}, date = {2017-11-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf}, language = {English}, urldate = {2020-04-06} } MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE
Microcin Microcin
2017-09-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@online{berdnikov:20170925:simple:62b80bb, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/}, language = {English}, urldate = {2019-12-20} } A simple example of a complex cyberattack
Microcin Microcin
Yara Rules
[TLP:WHITE] win_microcin_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_microcin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b8df0040000 4833cc e8???????? 4881c400060000 415f }
            // n = 5, score = 300
            //   488b8df0040000       | dec                 eax
            //   4833cc               | lea                 ecx, [esp + 0x60]
            //   e8????????           |                     
            //   4881c400060000       | dec                 eax
            //   415f                 | arpl                ax, cx

        $sequence_1 = { 7413 488d4c2460 ff15???????? 4863c8 }
            // n = 4, score = 300
            //   7413                 | jmp                 0xe
            //   488d4c2460           | mov                 eax, 0xfffffffd
            //   ff15????????         |                     
            //   4863c8               | je                  0x15

        $sequence_2 = { 488bcb ff15???????? 488b8db0010000 4833cc e8???????? }
            // n = 5, score = 300
            //   488bcb               | mov                 byte ptr [esp + ecx + 0x60], 0x5c
            //   ff15????????         |                     
            //   488b8db0010000       | dec                 eax
            //   4833cc               | lea                 edx, [esp + 0x44]
            //   e8????????           |                     

        $sequence_3 = { 57 4154 4156 4157 488dac2400fbffff 4881ec00060000 488b05???????? }
            // n = 7, score = 300
            //   57                   | dec                 eax
            //   4154                 | mov                 ecx, dword ptr [ebp + 0x4f0]
            //   4156                 | dec                 eax
            //   4157                 | xor                 ecx, esp
            //   488dac2400fbffff     | dec                 eax
            //   4881ec00060000       | add                 esp, 0x600
            //   488b05????????       |                     

        $sequence_4 = { c74424484c773373 c744244c31674d5a e9???????? c744244849734541 c744244c7246316b }
            // n = 5, score = 300
            //   c74424484c773373     | mov                 ecx, dword ptr [ebp + 0x1b0]
            //   c744244c31674d5a     | dec                 eax
            //   e9????????           |                     
            //   c744244849734541     | xor                 ecx, esp
            //   c744244c7246316b     | push                edi

        $sequence_5 = { ff15???????? 4863c8 c6840d8002000075 488d8d80020000 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   4863c8               | dec                 eax
            //   c6840d8002000075     | arpl                ax, cx
            //   488d8d80020000       | mov                 byte ptr [ebp + ecx + 0x280], 0x75

        $sequence_6 = { 488d8d80020000 ff15???????? 4863c8 c6840d8002000068 488d8d80020000 ff15???????? 4863c8 }
            // n = 7, score = 300
            //   488d8d80020000       | inc                 ecx
            //   ff15????????         |                     
            //   4863c8               | pop                 edi
            //   c6840d8002000068     | dec                 eax
            //   488d8d80020000       | mov                 ecx, ebx
            //   ff15????????         |                     
            //   4863c8               | dec                 eax

        $sequence_7 = { b8f5ffffff eb13 b8fcffffff eb0c b8fdffffff }
            // n = 5, score = 300
            //   b8f5ffffff           | dec                 eax
            //   eb13                 | lea                 ecx, [ebp + 0x280]
            //   b8fcffffff           | mov                 eax, 0xfffffff5
            //   eb0c                 | jmp                 0x1a
            //   b8fdffffff           | mov                 eax, 0xfffffffc

        $sequence_8 = { 636373 7673 6873742e65 7865 }
            // n = 4, score = 200
            //   636373               | add                 eax, dword ptr [ecx + 0x20]
            //   7673                 | mov                 byte ptr [ebp - 5], al
            //   6873742e65           | mov                 edx, dword ptr [ebp - 0xc]
            //   7865                 | mov                 eax, dword ptr [edx + 0x20]

        $sequence_9 = { 83c001 8945fc c7857cdfffff00000000 eb0f 8b8d7cdfffff }
            // n = 5, score = 200
            //   83c001               | add                 eax, 1
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   c7857cdfffff00000000     | mov    dword ptr [ebp - 0x2084], 0
            //   eb0f                 | jmp                 0x11
            //   8b8d7cdfffff         | mov                 ecx, dword ptr [ebp - 0x2084]

        $sequence_10 = { 83c8ff 4883c428 c3 4883ec28 e8???????? 4885c0 }
            // n = 6, score = 200
            //   83c8ff               | dec                 eax
            //   4883c428             | mov                 ecx, ebp
            //   c3                   | test                eax, eax
            //   4883ec28             | jne                 0x21
            //   e8????????           |                     
            //   4885c0               | dec                 eax

        $sequence_11 = { ff15???????? 8b1d???????? 8d85a8feffff 50 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8b1d????????         |                     
            //   8d85a8feffff         | lea                 eax, [ebp - 0x158]
            //   50                   | push                eax

        $sequence_12 = { 7419 488d15730c0100 488bc8 ff15???????? 4885c0 7404 8bcb }
            // n = 7, score = 200
            //   7419                 | xor                 ecx, ecx
            //   488d15730c0100       | dec                 eax
            //   488bc8               | mov                 dword ptr [esp + 0x20], esi
            //   ff15????????         |                     
            //   4885c0               | int3                
            //   7404                 | dec                 esp
            //   8bcb                 | lea                 eax, [0x1126c]

        $sequence_13 = { 50 6805100000 68ffff0000 56 8b35???????? }
            // n = 5, score = 200
            //   50                   | push                eax
            //   6805100000           | push                0x1005
            //   68ffff0000           | push                0xffff
            //   56                   | push                esi
            //   8b35????????         |                     

        $sequence_14 = { 488bcd e8???????? 85c0 751a 488d15f8110100 41b810200100 }
            // n = 6, score = 200
            //   488bcd               | mov                 byte ptr [ebp + ecx + 0x280], 0x34
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   751a                 | lea                 ecx, [ebp + 0x280]
            //   488d15f8110100       | dec                 eax
            //   41b810200100         | test                eax, eax

        $sequence_15 = { 6a00 6a00 ff15???????? 8945ec 8b4df0 }
            // n = 5, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]

        $sequence_16 = { 668935???????? 498bd5 ff15???????? 418d7c24e7 85c0 752a 4c8d0502130100 }
            // n = 7, score = 200
            //   668935????????       |                     
            //   498bd5               | lea                 ecx, [0x10c95]
            //   ff15????????         |                     
            //   418d7c24e7           | dec                 eax
            //   85c0                 | test                eax, eax
            //   752a                 | je                  0x27
            //   4c8d0502130100       | dec                 eax

        $sequence_17 = { 7647 498bcd e8???????? 4c8d05b7120100 41b903000000 488d4c45bc }
            // n = 6, score = 200
            //   7647                 | lea                 edx, [0x10c73]
            //   498bcd               | int3                
            //   e8????????           |                     
            //   4c8d05b7120100       | dec                 esp
            //   41b903000000         | lea                 eax, [0x1126c]
            //   488d4c45bc           | dec                 ecx

        $sequence_18 = { cc 4c8d056c120100 498bd4 488bcd e8???????? }
            // n = 5, score = 200
            //   cc                   | jne                 0x17
            //   4c8d056c120100       | mov                 dword ptr [esp + 0x48], 0x7333774c
            //   498bd4               | mov                 dword ptr [esp + 0x4c], 0x5a4d6731
            //   488bcd               | mov                 dword ptr [esp + 0x48], 0x41457349
            //   e8????????           |                     

        $sequence_19 = { b904000000 f7f1 83fa03 750b }
            // n = 4, score = 200
            //   b904000000           | mov                 ecx, 4
            //   f7f1                 | div                 ecx
            //   83fa03               | cmp                 edx, 3
            //   750b                 | jne                 0xd

        $sequence_20 = { 8945fc 8d8da0f4ffff e8???????? c785c4f4ffff1a000000 }
            // n = 4, score = 200
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d8da0f4ffff         | lea                 ecx, [ebp - 0xb60]
            //   e8????????           |                     
            //   c785c4f4ffff1a000000     | mov    dword ptr [ebp - 0xb3c], 0x1a

        $sequence_21 = { 85c0 7e18 80bc35a8feffff3a 741f 8d85a8feffff }
            // n = 5, score = 200
            //   85c0                 | test                eax, eax
            //   7e18                 | jle                 0x1a
            //   80bc35a8feffff3a     | cmp                 byte ptr [ebp + esi - 0x158], 0x3a
            //   741f                 | je                  0x21
            //   8d85a8feffff         | lea                 eax, [ebp - 0x158]

        $sequence_22 = { 45 6e 7669 726f 6e }
            // n = 5, score = 200
            //   45                   | mov                 dword ptr [ebp - 0x2084], 0
            //   6e                   | jmp                 0x1b
            //   7669                 | mov                 ecx, dword ptr [ebp - 0x2084]
            //   726f                 | movzx               eax, byte ptr [ebp - 5]
            //   6e                   | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_23 = { 6828010000 8d85ccfeffff 6a00 50 }
            // n = 4, score = 200
            //   6828010000           | cmp                 edx, 3
            //   8d85ccfeffff         | jne                 0x10
            //   6a00                 | add                 eax, 1
            //   50                   | mov                 dword ptr [ebp - 4], eax

        $sequence_24 = { 8d85f8feffff 6804010000 50 ff15???????? 8d85f8feffff 50 }
            // n = 6, score = 200
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax

        $sequence_25 = { 56 ff15???????? 85c0 0f45f7 }
            // n = 4, score = 200
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f45f7               | cmovne              esi, edi

        $sequence_26 = { 7370 696465726167656e 742e 657865 }
            // n = 4, score = 200
            //   7370                 | cli                 
            //   696465726167656e     | cli                 
            //   742e                 | cli                 
            //   657865               | cli                 

        $sequence_27 = { 894c9580 ba20000000 2b957cffffff 8b857cffffff 8b4d0c }
            // n = 5, score = 200
            //   894c9580             | mov                 dword ptr [ebp + edx*4 - 0x80], ecx
            //   ba20000000           | mov                 edx, 0x20
            //   2b957cffffff         | sub                 edx, dword ptr [ebp - 0x84]
            //   8b857cffffff         | mov                 eax, dword ptr [ebp - 0x84]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_28 = { ff15???????? 0fb645fb 8b4df4 034120 8845fb 8b55f4 8b4220 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   0fb645fb             | movzx               eax, byte ptr [ebp - 5]
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   034120               | add                 eax, dword ptr [ecx + 0x20]
            //   8845fb               | mov                 byte ptr [ebp - 5], al
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   8b4220               | mov                 eax, dword ptr [edx + 0x20]

        $sequence_29 = { ff15???????? 8b3d???????? 8d85e0feffff 50 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   8d85e0feffff         | lea                 eax, [ebp - 0x120]
            //   50                   | push                eax

        $sequence_30 = { 726f 6e 6d 656e 7400 }
            // n = 5, score = 200
            //   726f                 | cli                 
            //   6e                   | cli                 
            //   6d                   | cli                 
            //   656e                 | inc                 ebp
            //   7400                 | outsb               dx, byte ptr [esi]

        $sequence_31 = { 4c8d0574130100 488bcd 418bd4 e8???????? }
            // n = 4, score = 200
            //   4c8d0574130100       | lea                 eax, [0x1126c]
            //   488bcd               | dec                 ecx
            //   418bd4               | mov                 edx, esp
            //   e8????????           |                     

        $sequence_32 = { 8d45ac 50 6801000080 ff15???????? }
            // n = 4, score = 200
            //   8d45ac               | lea                 eax, [ebp - 0x54]
            //   50                   | push                eax
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     

        $sequence_33 = { fa fa fa fa fa fa fa }
            // n = 7, score = 200
            //   fa                   | mov                 dword ptr [ebp + edx*4 - 0x80], ecx
            //   fa                   | mov                 edx, 0x20
            //   fa                   | sub                 edx, dword ptr [ebp - 0x84]
            //   fa                   | mov                 eax, dword ptr [ebp - 0x84]
            //   fa                   | mov                 ecx, dword ptr [ebp + 0xc]
            //   fa                   | push                0
            //   fa                   | push                0

        $sequence_34 = { ff75d4 e8???????? 83c40c 8bc7 }
            // n = 4, score = 200
            //   ff75d4               | push                dword ptr [ebp - 0x2c]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8bc7                 | mov                 eax, edi

        $sequence_35 = { 7d44 c745f400000000 eb09 8b4df4 83c103 894df4 }
            // n = 6, score = 200
            //   7d44                 | jge                 0x46
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0
            //   eb09                 | jmp                 0xb
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   83c103               | add                 ecx, 3
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx

        $sequence_36 = { 4883ec20 8bd9 488d0d950c0100 ff15???????? 4885c0 7419 488d15730c0100 }
            // n = 7, score = 200
            //   4883ec20             | lea                 eax, [esp + 0x10]
            //   8bd9                 | push                eax
            //   488d0d950c0100       | push                0
            //   ff15????????         |                     
            //   4885c0               | push                0x10000003
            //   7419                 | dec                 eax
            //   488d15730c0100       | test                eax, eax

        $sequence_37 = { 49 53 53 56 }
            // n = 4, score = 200
            //   49                   | jbe                 0x6b
            //   53                   | jb                  0x73
            //   53                   | outsb               dx, byte ptr [esi]
            //   56                   | insd                dword ptr es:[edi], dx

        $sequence_38 = { 8955f8 c745f400000000 eb09 8b55f4 83c202 }
            // n = 5, score = 200
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0
            //   eb09                 | jmp                 0xb
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   83c202               | add                 edx, 2

        $sequence_39 = { 50 ff15???????? 0fb785c4feffff 50 }
            // n = 4, score = 100
            //   50                   | mov                 dword ptr [ebp - 0x88], 0x3c
            //   ff15????????         |                     
            //   0fb785c4feffff       | push                eax
            //   50                   | mov                 dword ptr [edi], eax

        $sequence_40 = { 3bce 72f3 6a00 ff35???????? ff15???????? 3d404b4c00 }
            // n = 6, score = 100
            //   3bce                 | outsb               dx, byte ptr [esi]
            //   72f3                 | jbe                 0x6b
            //   6a00                 | jb                  0x73
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   3d404b4c00           | outsb               dx, byte ptr [esi]

        $sequence_41 = { 8d85acfeffff 50 ff35???????? ff15???????? 50 }
            // n = 5, score = 100
            //   8d85acfeffff         | mov                 dword ptr [ebp - 0x78], eax
            //   50                   | lea                 eax, [ebp - 0x18c]
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   50                   | mov                 dword ptr [ebp - 0x74], eax

        $sequence_42 = { ffd6 6a01 58 ebb9 55 }
            // n = 5, score = 100
            //   ffd6                 | dec                 eax
            //   6a01                 | lea                 ecx, [ebp + eax*2 - 0x44]
            //   58                   | dec                 eax
            //   ebb9                 | mov                 eax, ecx
            //   55                   | or                  eax, 0xffffffff

        $sequence_43 = { 68???????? eb29 6a20 8d45bc }
            // n = 4, score = 100
            //   68????????           |                     
            //   eb29                 | outsb               dx, byte ptr [esi]
            //   6a20                 | insd                dword ptr es:[edi], dx
            //   8d45bc               | inc                 ebp

        $sequence_44 = { 894588 8d8574feffff 89458c 83c42c 8d8578ffffff 50 c78578ffffff3c000000 }
            // n = 7, score = 100
            //   894588               | cli                 
            //   8d8574feffff         | cli                 
            //   89458c               | cli                 
            //   83c42c               | cli                 
            //   8d8578ffffff         | cli                 
            //   50                   | cli                 
            //   c78578ffffff3c000000     | jbe    0x6b

        $sequence_45 = { 8d85d4f4ffff 50 ff15???????? 6804010000 }
            // n = 4, score = 100
            //   8d85d4f4ffff         | insd                dword ptr es:[edi], dx
            //   50                   | outsb               dx, byte ptr gs:[esi]
            //   ff15????????         |                     
            //   6804010000           | je                  4

        $sequence_46 = { 8b0410 45 2b4330 44 8902 }
            // n = 5, score = 100
            //   8b0410               | dec                 eax
            //   45                   | add                 esp, 0x28
            //   2b4330               | ret                 
            //   44                   | dec                 eax
            //   8902                 | sub                 esp, 0x28

        $sequence_47 = { ff15???????? 8bf8 85ff 7523 56 8d44245c }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8bf8                 | push                dword ptr [esi + 0x14]
            //   85ff                 | add                 esp, 0x14
            //   7523                 | test                eax, eax
            //   56                   | push                0x128
            //   8d44245c             | lea                 eax, [ebp - 0x134]

        $sequence_48 = { 68a00f0000 56 ff15???????? 8934fd58d04000 }
            // n = 4, score = 100
            //   68a00f0000           | add                 esp, 0x2c
            //   56                   | lea                 eax, [ebp - 0x88]
            //   ff15????????         |                     
            //   8934fd58d04000       | push                eax

    condition:
        7 of them and filesize < 417792
}
[TLP:WHITE] win_microcin_w0   (20170413 | Malware sample mentioned in Microcin technical report by Kaspersky)
import "pe"

rule win_microcin_w0 {
    meta:
        description = "Malware sample mentioned in Microcin technical report by Kaspersky"
        author = "Florian Roth"
        reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
        date = "2017-09-26"
        hash1 = "49816eefcd341d7a9c1715e1f89143862d4775ba4f9730397a1e8529f5f5e200"
        hash2 = "a73f8f76a30ad5ab03dd503cc63de3a150e6ab75440c1060d75addceb4270f46"
        hash3 = "9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_version = "20170413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "e Class Descriptor at (" fullword ascii
        $s2 = ".?AVCAntiAntiAppleFrameRealClass@@" fullword ascii
        $s3 = ".?AVCAntiAntiAppleFrameBaseClass@@" fullword ascii
        $s4 = ".?AVCAppleBinRealClass@@" fullword ascii
        $s5 = ".?AVCAppleBinBaseClass@@" fullword ascii
    condition:
        uint16(0) == 0x5a4d and filesize < 300KB and (4 of them or pe.imphash() == "897077ca318eaf629cfe74569f10e023")
}
Download all Yara Rules