SYMBOLCOMMON_NAMEaka. SYNONYMS
win.microcin (Back to overview)

Microcin


There is no description at this point.

References
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks onstate institutions inKazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-07-22} } Study of the APT attacks onstate institutions inKazakhstan and Kyrgyzstan
Microcin Mirage PlugX
2020-06-19Kaspersky LabsDenis Legezo
@online{legezo:20200619:microcin:122f2ca, author = {Denis Legezo}, title = {{Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock}}, date = {2020-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/microcin-is-here/97353/}, language = {English}, urldate = {2020-06-21} } Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock
Microcin
2020-05-18Github (dlegezo)Denis Legezo
@online{legezo:20200518:microcin:b3147b6, author = {Denis Legezo}, title = {{Microcin Decryptor}}, date = {2020-05-18}, organization = {Github (dlegezo)}, url = {https://github.com/dlegezo/common}, language = {English}, urldate = {2020-05-19} } Microcin Decryptor
Microcin
2020-05-14ESET ResearchPeter Kálnai
@online{klnai:20200514:mikroceen:b259a8c, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/}, language = {English}, urldate = {2020-05-14} } Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
BYEBY Microcin Microcin
2020-05-14Avast DecodedLuigino Camastra
@online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Microcin Microcin
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2017-11-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@techreport{berdnikov:20171125:microcin:69e0ae0, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE}}, date = {2017-11-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf}, language = {English}, urldate = {2020-04-06} } MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE
Microcin Microcin
2017-09-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@online{berdnikov:20170925:simple:62b80bb, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/}, language = {English}, urldate = {2019-12-20} } A simple example of a complex cyberattack
Microcin Microcin
Yara Rules
[TLP:WHITE] win_microcin_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_microcin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6804010000 50 ff15???????? 8d85f8feffff 50 }
            // n = 5, score = 400
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax

        $sequence_1 = { ff15???????? 8b3d???????? 8d85e0feffff 50 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   8d85e0feffff         | lea                 eax, [ebp - 0x120]
            //   50                   | push                eax

        $sequence_2 = { 8b1d???????? 8d85a8feffff 50 ffd3 }
            // n = 4, score = 400
            //   8b1d????????         |                     
            //   8d85a8feffff         | lea                 eax, [ebp - 0x158]
            //   50                   | push                eax
            //   ffd3                 | call                ebx

        $sequence_3 = { 56 ff15???????? 85c0 0f45f7 }
            // n = 4, score = 400
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f45f7               | cmovne              esi, edi

        $sequence_4 = { 85c0 7e18 80bc35a8feffff3a 741f 8d85a8feffff }
            // n = 5, score = 400
            // 
            //   7e18                 | jle                 0x1a
            //   80bc35a8feffff3a     | cmp                 byte ptr [ebp + esi - 0x158], 0x3a
            //   741f                 | je                  0x21
            //   8d85a8feffff         | lea                 eax, [ebp - 0x158]

        $sequence_5 = { ff15???????? 85c0 7426 8b400c }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7426                 | je                  0x28
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]

        $sequence_6 = { ff75d4 e8???????? 83c40c 8bc7 }
            // n = 4, score = 400
            //   ff75d4               | push                dword ptr [ebp - 0x2c]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8bc7                 | mov                 eax, edi

        $sequence_7 = { 68ffff0000 56 8b35???????? ffd6 }
            // n = 4, score = 400
            //   68ffff0000           | push                0xffff
            //   56                   | push                esi
            //   8b35????????         |                     
            //   ffd6                 | call                esi

        $sequence_8 = { 488d442430 448bcb 4c8bc7 4889442420 ff15???????? 4c89642440 }
            // n = 6, score = 200
            //   488d442430           | dec                 eax
            //   448bcb               | mov                 ecx, eax
            //   4c8bc7               | test                al, al
            //   4889442420           | dec                 eax
            //   ff15????????         |                     
            //   4c89642440           | lea                 eax, [esp + 0x30]

        $sequence_9 = { eb03 498bc4 488d158dbf0000 488bc8 e8???????? 84c0 }
            // n = 6, score = 200
            //   eb03                 | jmp                 5
            //   498bc4               | dec                 ecx
            //   488d158dbf0000       | mov                 eax, esp
            //   488bc8               | dec                 eax
            //   e8????????           |                     
            //   84c0                 | lea                 edx, [0xbf8d]

        $sequence_10 = { 33c0 488b8d50040000 4833cc e8???????? 4881c460050000 5d c3 }
            // n = 7, score = 200
            //   33c0                 | inc                 esp
            //   488b8d50040000       | mov                 ecx, ebx
            //   4833cc               | dec                 esp
            //   e8????????           |                     
            //   4881c460050000       | mov                 eax, edi
            //   5d                   | dec                 eax
            //   c3                   | mov                 dword ptr [esp + 0x20], eax

        $sequence_11 = { 41bc14030000 4c8d0574130100 488bcd 418bd4 e8???????? 33c9 85c0 }
            // n = 7, score = 200
            //   41bc14030000         | inc                 ecx
            //   4c8d0574130100       | mov                 eax, 0x12010
            //   488bcd               | dec                 eax
            //   418bd4               | mov                 ecx, ebp
            //   e8????????           |                     
            //   33c9                 | int3                
            //   85c0                 | dec                 esp

        $sequence_12 = { 6828010000 8d85ccfeffff 6a00 50 }
            // n = 4, score = 200
            //   6828010000           | mov                 eax, dword ptr [ebp - 0x1c]
            //   8d85ccfeffff         | mov                 eax, dword ptr [eax]
            //   6a00                 | push                eax
            //   50                   | mov                 ecx, dword ptr [ebp - 8]

        $sequence_13 = { 0fb602 83e801 8b4d0c 8801 eb0e 8b550c }
            // n = 6, score = 200
            //   0fb602               | movzx               eax, byte ptr [edx]
            //   83e801               | sub                 eax, 1
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8801                 | mov                 byte ptr [ecx], al
            //   eb0e                 | jmp                 0x10
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]

        $sequence_14 = { 418d5001 e9???????? 4053 4883ec20 8bd9 e8???????? 8bcb }
            // n = 7, score = 200
            //   418d5001             | jb                  3
            //   e9????????           |                     
            //   4053                 | pop                 esi
            //   4883ec20             | ret                 
            //   8bd9                 | lea                 eax, [ebp - 0x158]
            //   e8????????           |                     
            //   8bcb                 | push                eax

        $sequence_15 = { 744c 8b55f8 6bd268 035510 8b45fc }
            // n = 5, score = 200
            //   744c                 | je                  0x4e
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   6bd268               | imul                edx, edx, 0x68
            //   035510               | add                 edx, dword ptr [ebp + 0x10]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_16 = { 837df808 7d21 6a00 6a00 }
            // n = 4, score = 200
            //   837df808             | cmp                 dword ptr [ebp - 8], 8
            //   7d21                 | jge                 0x23
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_17 = { 488d4c2471 458bc6 33d2 885c2470 e8???????? 418d5601 488d4c2470 }
            // n = 7, score = 200
            //   488d4c2471           | mov                 ecx, dword ptr [ebp + 0x450]
            //   458bc6               | dec                 eax
            //   33d2                 | xor                 ecx, esp
            //   885c2470             | dec                 eax
            //   e8????????           |                     
            //   418d5601             | add                 esp, 0x560
            //   488d4c2470           | pop                 ebp

        $sequence_18 = { 6e 7669 726f 6e 6d 656e 7400 }
            // n = 7, score = 200
            //   6e                   | mov                 edx, dword ptr [ecx + 0x28]
            //   7669                 | push                edx
            //   726f                 | cmp                 dword ptr [ebp - 8], 8
            //   6e                   | jge                 0x5c
            //   6d                   | push                0
            //   656e                 | push                0
            //   7400                 | je                  0x8d

        $sequence_19 = { 488b4587 498986a8000000 8b442420 418986b0000000 }
            // n = 4, score = 200
            //   488b4587             | dec                 esp
            //   498986a8000000       | mov                 dword ptr [esp + 0x40], esp
            //   8b442420             | xor                 eax, eax
            //   418986b0000000       | dec                 eax

        $sequence_20 = { 488bf9 448d4250 488bcb e8???????? 488364244000 814f5812020000 }
            // n = 6, score = 200
            //   488bf9               | ret                 
            //   448d4250             | dec                 eax
            //   488bcb               | mov                 eax, dword ptr [ebp - 0x79]
            //   e8????????           |                     
            //   488364244000         | dec                 ecx
            //   814f5812020000       | mov                 dword ptr [esi + 0xa8], eax

        $sequence_21 = { 636373 7673 6873742e65 7865 }
            // n = 4, score = 200
            //   636373               | jbe                 0x8b
            //   7673                 | jb                  0x93
            //   6873742e65           | outsb               dx, byte ptr [esi]
            //   7865                 | insd                dword ptr es:[edi], dx

        $sequence_22 = { 7422 03d8 3bdf 741c }
            // n = 4, score = 200
            //   7422                 | mov                 eax, dword ptr [esp + 0x20]
            //   03d8                 | inc                 ecx
            //   3bdf                 | mov                 dword ptr [esi + 0xb0], eax
            //   741c                 | dec                 eax

        $sequence_23 = { 751a 488d15f8110100 41b810200100 488bcd }
            // n = 4, score = 200
            //   751a                 | pop                 ebp
            //   488d15f8110100       | adc                 eax, 0x15151515
            //   41b810200100         | adc                 eax, 0x15151515
            //   488bcd               | adc                 eax, 0x11101515

        $sequence_24 = { e8???????? 68204e0000 8b55ec 52 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   68204e0000           | push                0x4e20
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   52                   | push                edx

        $sequence_25 = { 7419 488d15730c0100 488bc8 ff15???????? }
            // n = 4, score = 200
            //   7419                 | xor                 ecx, ebp
            //   488d15730c0100       | mov                 eax, 1
            //   488bc8               | mov                 esp, ebp
            //   ff15????????         |                     

        $sequence_26 = { 817de4f4604000 7311 8b45e4 8b00 }
            // n = 4, score = 200
            //   817de4f4604000       | cmp                 dword ptr [ebp - 0x1c], 0x4060f4
            //   7311                 | jae                 0x13
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_27 = { 55 8bec b88c200000 e8???????? 56 }
            // n = 5, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   b88c200000           | mov                 eax, 0x208c
            //   e8????????           |                     
            //   56                   | push                esi

        $sequence_28 = { 4883ec20 8bd9 488d0d950c0100 ff15???????? }
            // n = 4, score = 200
            //   4883ec20             | jne                 0x1f
            //   8bd9                 | dec                 eax
            //   488d0d950c0100       | lea                 edx, [0x111f8]
            //   ff15????????         |                     

        $sequence_29 = { 4c8d05b7120100 41b903000000 488d4c45bc 488bc1 492bc5 48d1f8 482bf8 }
            // n = 7, score = 200
            //   4c8d05b7120100       | lea                 eax, [0x1126c]
            //   41b903000000         | dec                 ecx
            //   488d4c45bc           | mov                 edx, esp
            //   488bc1               | dec                 eax
            //   492bc5               | mov                 ecx, ebp
            //   48d1f8               | test                eax, eax
            //   482bf8               | inc                 ecx

        $sequence_30 = { 8b4514 895004 c745f01a000000 8b4d14 51 8d55f0 52 }
            // n = 7, score = 200
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   895004               | mov                 dword ptr [eax + 4], edx
            //   c745f01a000000       | mov                 dword ptr [ebp - 0x10], 0x1a
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   51                   | push                ecx
            //   8d55f0               | lea                 edx, [ebp - 0x10]
            //   52                   | push                edx

        $sequence_31 = { e8???????? cc 4c8d056c120100 498bd4 488bcd e8???????? 85c0 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   cc                   | adc                 eax, 0x15151515
            //   4c8d056c120100       | adc                 eax, 0x15151515
            //   498bd4               | mov                 dword ptr [esi + 0x40da38], eax
            //   488bcd               | add                 esi, 4
            //   e8????????           |                     
            //   85c0                 | cmp                 esi, 0x28

        $sequence_32 = { fa fa fa fa fa fa }
            // n = 6, score = 200
            //   fa                   | lea                 eax, [ebp - 0x134]
            //   fa                   | push                0
            //   fa                   | push                eax
            //   fa                   | outsb               dx, byte ptr [esi]
            //   fa                   | jbe                 0x75
            //   fa                   | jb                  0x7d

        $sequence_33 = { ff15???????? 488d155fda0000 488bcb 483305???????? 488905???????? ff15???????? 488d1549da0000 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   488d155fda0000       | lea                 ecx, [esp + 0x71]
            //   488bcb               | inc                 ebp
            //   483305????????       |                     
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d1549da0000       | mov                 eax, esi

        $sequence_34 = { 4c8d0502130100 8bd7 498bcd e8???????? 85c0 7415 4533c9 }
            // n = 7, score = 200
            //   4c8d0502130100       | lea                 edx, [eax + 1]
            //   8bd7                 | inc                 eax
            //   498bcd               | push                ebx
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   7415                 | sub                 esp, 0x20
            //   4533c9               | mov                 ebx, ecx

        $sequence_35 = { 50 68???????? 8b4df8 8b5128 52 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   68????????           |                     
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8b5128               | mov                 edx, dword ptr [ecx + 0x28]
            //   52                   | push                edx

        $sequence_36 = { 49 53 53 56 43 }
            // n = 5, score = 200
            //   49                   | mov                 ecx, dword ptr [eax + 4]
            //   53                   | call                ecx
            //   53                   | add                 esp, 0x14
            //   56                   | mov                 ecx, dword ptr [ebp - 8]
            //   43                   | push                0x128

        $sequence_37 = { 7370 696465726167656e 742e 657865 }
            // n = 4, score = 200
            //   7370                 | push                esi
            //   696465726167656e     | inc                 ebx
            //   742e                 | cli                 
            //   657865               | cli                 

        $sequence_38 = { 7513 395708 750e 39570c 7509 395704 }
            // n = 6, score = 100
            //   7513                 | insd                dword ptr es:[edi], dx
            //   395708               | dec                 ecx
            //   750e                 | push                ebx
            //   39570c               | push                ebx
            //   7509                 | push                esi
            //   395704               | inc                 ebp

        $sequence_39 = { 5f 5e 5b 33cc c705????????00000000 b801000000 e8???????? }
            // n = 7, score = 100
            //   5f                   | cli                 
            //   5e                   | cli                 
            //   5b                   | jb                  0x71
            //   33cc                 | outsb               dx, byte ptr [esi]
            //   c705????????00000000     |     
            //   b801000000           | insd                dword ptr es:[edi], dx
            //   e8????????           |                     

        $sequence_40 = { 41 ffd5 4c 89f9 48 }
            // n = 5, score = 100
            //   41                   | insd                dword ptr es:[edi], dx
            //   ffd5                 | outsb               dx, byte ptr gs:[esi]
            //   4c                   | je                  0xa
            //   89f9                 | inc                 ebp
            //   48                   | outsb               dx, byte ptr [esi]

        $sequence_41 = { 7309 8b04c5c09b4000 5d c3 33c0 5d c3 }
            // n = 7, score = 100
            //   7309                 | jne                 0x15
            //   8b04c5c09b4000       | cmp                 dword ptr [edi + 8], edx
            //   5d                   | jne                 0x13
            //   c3                   | cmp                 dword ptr [edi + 0xc], edx
            //   33c0                 | jne                 0x13
            //   5d                   | cmp                 dword ptr [edi + 4], edx
            //   c3                   | pop                 edx

        $sequence_42 = { ff15???????? 8b4dfc 33cd b801000000 e8???????? 8be5 5d }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8b4dfc               | add                 edx, ebx
            //   33cd                 | push                0x128
            //   b801000000           | lea                 eax, [ebp - 0x134]
            //   e8????????           |                     
            //   8be5                 | push                0
            //   5d                   | push                eax

        $sequence_43 = { 50 ff760c ff7508 ff7604 ff7644 e8???????? }
            // n = 6, score = 100
            //   50                   | inc                 ebp
            //   ff760c               | outsb               dx, byte ptr [esi]
            //   ff7508               | jbe                 0x6d
            //   ff7604               | jb                  0x75
            //   ff7644               | outsb               dx, byte ptr [esi]
            //   e8????????           |                     

        $sequence_44 = { 8d44245c 50 ff15???????? 33c0 5f 5e }
            // n = 6, score = 100
            //   8d44245c             | push                eax
            //   50                   | push                dword ptr [esi + 0xc]
            //   ff15????????         |                     
            //   33c0                 | push                dword ptr [ebp + 8]
            //   5f                   | push                dword ptr [esi + 4]
            //   5e                   | push                dword ptr [esi + 0x44]

        $sequence_45 = { 8d1c88 43 8b041a 41 8985a0000000 }
            // n = 5, score = 100
            //   8d1c88               | dec                 eax
            //   43                   | test                eax, eax
            //   8b041a               | je                  0x1e
            //   41                   | dec                 eax
            //   8985a0000000         | lea                 edx, [0x10c73]

        $sequence_46 = { 48 8b8d28010000 48 85c9 7402 ffd6 }
            // n = 6, score = 100
            //   48                   | cli                 
            //   8b8d28010000         | cli                 
            //   48                   | cli                 
            //   85c9                 | cli                 
            //   7402                 | cli                 
            //   ffd6                 | outsb               dx, byte ptr [esi]

        $sequence_47 = { 50 e8???????? 83c40c 8d85c8feffff 68???????? 50 }
            // n = 6, score = 100
            //   50                   | mov                 dword ptr [esi + 0x58], edx
            //   e8????????           |                     
            //   83c40c               | je                  0x1c
            //   8d85c8feffff         | push                ebx
            //   68????????           |                     
            //   50                   | movzx               ebx, word ptr [ecx]

        $sequence_48 = { 1515151515 1515151515 1515151011 12????????15 1515151515 1515151515 }
            // n = 6, score = 100
            //   1515151515           | pop                 edi
            //   1515151515           | pop                 esi
            //   1515151011           | pop                 ebx
            //   12????????15         |                     
            //   1515151515           | xor                 ecx, esp
            //   1515151515           | mov                 eax, 1

        $sequence_49 = { 68???????? 50 ff15???????? 6a30 }
            // n = 4, score = 100
            //   68????????           |                     
            //   50                   | outsb               dx, byte ptr gs:[esi]
            //   ff15????????         |                     
            //   6a30                 | je                  6

    condition:
        7 of them and filesize < 327680
}
[TLP:WHITE] win_microcin_w0   (20170413 | Malware sample mentioned in Microcin technical report by Kaspersky)
import "pe"

rule win_microcin_w0 {
    meta:
        description = "Malware sample mentioned in Microcin technical report by Kaspersky"
        author = "Florian Roth"
        reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
        date = "2017-09-26"
        hash1 = "49816eefcd341d7a9c1715e1f89143862d4775ba4f9730397a1e8529f5f5e200"
        hash2 = "a73f8f76a30ad5ab03dd503cc63de3a150e6ab75440c1060d75addceb4270f46"
        hash3 = "9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_version = "20170413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "e Class Descriptor at (" fullword ascii
        $s2 = ".?AVCAntiAntiAppleFrameRealClass@@" fullword ascii
        $s3 = ".?AVCAntiAntiAppleFrameBaseClass@@" fullword ascii
        $s4 = ".?AVCAppleBinRealClass@@" fullword ascii
        $s5 = ".?AVCAppleBinBaseClass@@" fullword ascii
    condition:
        uint16(0) == 0x5a4d and filesize < 300KB and (4 of them or pe.imphash() == "897077ca318eaf629cfe74569f10e023")
}
Download all Yara Rules