SYMBOLCOMMON_NAMEaka. SYNONYMS
win.microcin (Back to overview)

Microcin


There is no description at this point.

References
2021-03-10ESET ResearchThomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020-06-19Kaspersky LabsDenis Legezo
@online{legezo:20200619:microcin:122f2ca, author = {Denis Legezo}, title = {{Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock}}, date = {2020-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/microcin-is-here/97353/}, language = {English}, urldate = {2020-06-21} } Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock
Microcin
2020-05-18Github (dlegezo)Denis Legezo
@online{legezo:20200518:microcin:b3147b6, author = {Denis Legezo}, title = {{Microcin Decryptor}}, date = {2020-05-18}, organization = {Github (dlegezo)}, url = {https://github.com/dlegezo/common}, language = {English}, urldate = {2020-05-19} } Microcin Decryptor
Microcin
2020-05-14ESET ResearchPeter Kálnai
@online{klnai:20200514:mikroceen:b259a8c, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/}, language = {English}, urldate = {2020-05-14} } Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
BYEBY Microcin Microcin
2020-05-14Avast DecodedLuigino Camastra
@online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Microcin Microcin
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2017-11-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@techreport{berdnikov:20171125:microcin:69e0ae0, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE}}, date = {2017-11-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf}, language = {English}, urldate = {2020-04-06} } MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE
Microcin Microcin
2017-09-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@online{berdnikov:20170925:simple:62b80bb, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/}, language = {English}, urldate = {2019-12-20} } A simple example of a complex cyberattack
Microcin Microcin
Yara Rules
[TLP:WHITE] win_microcin_auto (20220411 | Detects win.microcin.)
rule win_microcin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.microcin."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c744242880000000 c744242003000000 4533c9 ba00000080 448d4001 }
            // n = 5, score = 400
            //   c744242880000000     | mov                 ecx, dword ptr [ebp + 0x14]
            //   c744242003000000     | push                ecx
            //   4533c9               | push                0
            //   ba00000080           | push                0
            //   448d4001             | mov                 dword ptr [ebp - 0x14], eax

        $sequence_1 = { 897e04 5b 5f 5e 5d c20400 55 }
            // n = 7, score = 400
            //   897e04               | mov                 esp, ebp
            //   5b                   | pop                 ebp
            //   5f                   | mov                 esp, ebx
            //   5e                   | dec                 eax
            //   5d                   | xor                 eax, esp
            //   c20400               | dec                 eax
            //   55                   | mov                 dword ptr [ebp + 0x1b0], eax

        $sequence_2 = { 33f6 50 ffd3 85c0 7e18 80bc35a8feffff3a }
            // n = 6, score = 400
            //   33f6                 | push                0x104
            //   50                   | lea                 eax, dword ptr [ebp - 0x138]
            //   ffd3                 | push                0
            //   85c0                 | push                esi
            //   7e18                 | movzx               eax, ax
            //   80bc35a8feffff3a     | shl                 eax, 0x10

        $sequence_3 = { 4833c4 488985b0010000 488bd9 488d4c2458 ff15???????? }
            // n = 5, score = 400
            //   4833c4               | dec                 eax
            //   488985b0010000       | lea                 ecx, dword ptr [0x10c95]
            //   488bd9               | add                 esp, 8
            //   488d4c2458           | mov                 eax, dword ptr [ebp - 0x10]
            //   ff15????????         |                     

        $sequence_4 = { 4885c0 742b 488b4018 488b08 8b09 ff15???????? 488bf8 }
            // n = 7, score = 400
            //   4885c0               | push                0xd
            //   742b                 | pop                 eax
            //   488b4018             | pop                 ebp
            //   488b08               | ret                 
            //   8b09                 | mov                 eax, dword ptr [ecx*8 + 0x4131f4]
            //   ff15????????         |                     
            //   488bf8               | inc                 eax

        $sequence_5 = { 488bf8 488bc8 ff15???????? 85c0 740c 488bd7 }
            // n = 6, score = 400
            //   488bf8               | mov                 dword ptr [eax + 0x24], edx
            //   488bc8               | mov                 ecx, dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   85c0                 | add                 ecx, 8
            //   740c                 | push                ecx
            //   488bd7               | mov                 edx, dword ptr [ebp + 8]

        $sequence_6 = { 6805100000 68ffff0000 56 8b35???????? ffd6 6a04 }
            // n = 6, score = 400
            //   6805100000           | add                 eax, 8
            //   68ffff0000           | push                eax
            //   56                   | mov                 ecx, dword ptr [ebp - 4]
            //   8b35????????         |                     
            //   ffd6                 | push                0x128
            //   6a04                 | lea                 eax, dword ptr [ebp - 0x134]

        $sequence_7 = { ff15???????? 4863c8 807c0d8f5c 7412 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   4863c8               | and                 eax, 2
            //   807c0d8f5c           | mov                 dword ptr [ebp - 0x10], eax
            //   7412                 | jne                 0x19

        $sequence_8 = { 8b1d???????? 8d85a8feffff 50 ffd3 }
            // n = 4, score = 400
            //   8b1d????????         |                     
            //   8d85a8feffff         | mov                 dword ptr [ecx + edx*4], eax
            //   50                   | mov                 dword ptr [edx + 0x24], 0
            //   ffd3                 | mov                 eax, dword ptr [ebp - 4]

        $sequence_9 = { 418900 4989b688000000 41c7868400000004000000 4533c9 33d2 }
            // n = 5, score = 400
            //   418900               | add                 byte ptr [edx + ecx*2], al
            //   4989b688000000       | inc                 eax
            //   41c7868400000004000000     | mov    edx, dword ptr [ecx + 0x24]
            //   4533c9               | add                 edx, 1
            //   33d2                 | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_10 = { 488bcb ff15???????? 488bcb ff15???????? 448bc0 }
            // n = 5, score = 400
            //   488bcb               | add                 al, ah
            //   ff15????????         |                     
            //   488bcb               | dec                 ecx
            //   ff15????????         |                     
            //   448bc0               | inc                 eax

        $sequence_11 = { c6840d8002000077 488d8d80020000 ff15???????? 4863c8 c6840d8002000075 }
            // n = 5, score = 400
            //   c6840d8002000077     | mov                 dword ptr [edx + 0x104], ecx
            //   488d8d80020000       | mov                 dword ptr [ebp - 0x84], 0
            //   ff15????????         |                     
            //   4863c8               | jmp                 0x1b
            //   c6840d8002000075     | mov                 eax, dword ptr [ebp - 0x84]

        $sequence_12 = { 8d45ac 50 6801000080 ff15???????? 85c0 }
            // n = 5, score = 400
            //   8d45ac               | push                eax
            //   50                   | push                esi
            //   6801000080           | push                0x10000003
            //   ff15????????         |                     
            //   85c0                 | push                edi

        $sequence_13 = { 56 ff15???????? 85c0 0f45f7 }
            // n = 4, score = 400
            //   56                   | movzx               eax, word ptr [ebp - 0x13e]
            //   ff15????????         |                     
            //   85c0                 | push                eax
            //   0f45f7               | movzx               eax, word ptr [ebp - 0x140]

        $sequence_14 = { 8d85f8feffff 6804010000 50 ff15???????? 8d85f8feffff 50 }
            // n = 6, score = 400
            //   8d85f8feffff         | push                0
            //   6804010000           | push                eax
            //   50                   | je                  0x3f
            //   ff15????????         |                     
            //   8d85f8feffff         | push                0x10
            //   50                   | lea                 eax, dword ptr [esp + 0x10]

        $sequence_15 = { 7e18 80bc35a8feffff3a 741f 8d85a8feffff }
            // n = 4, score = 400
            //   7e18                 | mov                 edx, dword ptr [ebp - 0x2084]
            //   80bc35a8feffff3a     | imul                edx, edx, 0x68
            //   741f                 | lea                 ecx, dword ptr [ebp + edx - 0x15f0]
            //   8d85a8feffff         | mov                 edx, dword ptr [ebp - 0x2088]

        $sequence_16 = { fa fa fa fa fa fa fa }
            // n = 7, score = 200
            //   fa                   | lea                 ecx, dword ptr [ebp + eax*2 - 0x44]
            //   fa                   | dec                 eax
            //   fa                   | mov                 eax, ecx
            //   fa                   | dec                 ecx
            //   fa                   | sub                 eax, ebp
            //   fa                   | dec                 esp
            //   fa                   | lea                 eax, dword ptr [0x112b7]

        $sequence_17 = { e8???????? 4c8d05b7120100 41b903000000 488d4c45bc }
            // n = 4, score = 200
            //   e8????????           |                     
            //   4c8d05b7120100       | dec                 ecx
            //   41b903000000         | mov                 edx, ebp
            //   488d4c45bc           | inc                 ecx

        $sequence_18 = { 6828010000 8d85ccfeffff 6a00 50 }
            // n = 4, score = 200
            //   6828010000           | cli                 
            //   8d85ccfeffff         | cli                 
            //   6a00                 | cli                 
            //   50                   | cli                 

        $sequence_19 = { 8b5124 83c201 8b45f4 895024 8b4df4 83c108 51 }
            // n = 7, score = 200
            //   8b5124               | cli                 
            //   83c201               | cli                 
            //   8b45f4               | cli                 
            //   895024               | cli                 
            //   8b4df4               | cli                 
            //   83c108               | cli                 
            //   51                   | cli                 

        $sequence_20 = { 488d15f8110100 41b810200100 488bcd e8???????? e9???????? 4533c9 }
            // n = 6, score = 200
            //   488d15f8110100       | lea                 edi, dword ptr [esp - 0x19]
            //   41b810200100         | test                eax, eax
            //   488bcd               | jne                 0x2e
            //   e8????????           |                     
            //   e9????????           |                     
            //   4533c9               | dec                 esp

        $sequence_21 = { e8???????? 83c408 8b45f0 83e002 8945f0 7511 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c408               | outsb               dx, byte ptr [esi]
            //   8b45f0               | jbe                 0x6c
            //   83e002               | jb                  0x71
            //   8945f0               | outsb               dx, byte ptr [esi]
            //   7511                 | insd                dword ptr es:[edi], dx

        $sequence_22 = { 488d0d950c0100 ff15???????? 4885c0 7419 }
            // n = 4, score = 200
            //   488d0d950c0100       | dec                 eax
            //   ff15????????         |                     
            //   4885c0               | lea                 ecx, dword ptr [0x10c95]
            //   7419                 | dec                 eax

        $sequence_23 = { 6a0d 58 5d c3 8b04cdf4314100 }
            // n = 5, score = 200
            //   6a0d                 | outsb               dx, byte ptr gs:[esi]
            //   58                   | je                  8
            //   5d                   | arpl                word ptr [ebx + 0x73], sp
            //   c3                   | jbe                 0x78
            //   8b04cdf4314100       | push                0x652e7473

        $sequence_24 = { ff15???????? 8945ec 8b4df0 e8???????? 68204e0000 8b55ec }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   8945ec               | mov                 dword ptr [ebp], eax
            //   8b4df0               | dec                 ecx
            //   e8????????           |                     
            //   68204e0000           | mov                 edi, dword ptr [eax + 0xa8]
            //   8b55ec               | dec                 ebp

        $sequence_25 = { 752a 4c8d0502130100 8bd7 498bcd e8???????? 85c0 7415 }
            // n = 7, score = 200
            //   752a                 | dec                 eax
            //   4c8d0502130100       | lea                 edx, dword ptr [0x111f8]
            //   8bd7                 | dec                 esp
            //   498bcd               | lea                 eax, dword ptr [0x11374]
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   7415                 | mov                 ecx, ebp

        $sequence_26 = { ff15???????? 418d7c24e7 85c0 752a 4c8d0502130100 8bd7 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   418d7c24e7           | test                eax, eax
            //   85c0                 | je                  0x1b
            //   752a                 | inc                 ecx
            //   4c8d0502130100       | lea                 edi, dword ptr [esp - 0x19]
            //   8bd7                 | test                eax, eax

        $sequence_27 = { 7370 696465726167656e 742e 657865 }
            // n = 4, score = 200
            //   7370                 | dec                 ecx
            //   696465726167656e     | push                ebx
            //   742e                 | push                ebx
            //   657865               | push                esi

        $sequence_28 = { 636373 7673 6873742e65 7865 }
            // n = 4, score = 200
            //   636373               | lea                 eax, dword ptr [0x112b7]
            //   7673                 | inc                 ecx
            //   6873742e65           | mov                 ecx, 3
            //   7865                 | dec                 eax

        $sequence_29 = { cc 4c8d056c120100 498bd4 488bcd }
            // n = 4, score = 200
            //   cc                   | mov                 edx, esp
            //   4c8d056c120100       | xor                 ecx, ecx
            //   498bd4               | dec                 esp
            //   488bcd               | lea                 eax, dword ptr [0x112b7]

        $sequence_30 = { 4c8d0574130100 488bcd 418bd4 e8???????? 33c9 85c0 }
            // n = 6, score = 200
            //   4c8d0574130100       | dec                 eax
            //   488bcd               | test                eax, eax
            //   418bd4               | dec                 esp
            //   e8????????           |                     
            //   33c9                 | mov                 eax, ebx
            //   85c0                 | dec                 ecx

        $sequence_31 = { 49 53 53 56 43 }
            // n = 5, score = 200
            //   49                   | inc                 ebp
            //   53                   | xor                 ecx, ecx
            //   53                   | dec                 ecx
            //   56                   | mov                 ecx, ebp
            //   43                   | dec                 esp

        $sequence_32 = { 4c8bc3 498bd4 488bcd e8???????? 85c0 751a 488d15f8110100 }
            // n = 7, score = 200
            //   4c8bc3               | push                ebx
            //   498bd4               | dec                 eax
            //   488bcd               | sub                 esp, 0x20
            //   e8????????           |                     
            //   85c0                 | mov                 ebx, ecx
            //   751a                 | dec                 eax
            //   488d15f8110100       | lea                 ecx, dword ptr [0x10c95]

        $sequence_33 = { 726f 6e 6d 656e 7400 }
            // n = 5, score = 200
            //   726f                 | lea                 edx, dword ptr [0x111f8]
            //   6e                   | inc                 ecx
            //   6d                   | mov                 eax, 0x12010
            //   656e                 | dec                 eax
            //   7400                 | mov                 ecx, ebp

        $sequence_34 = { 8b4d14 51 68???????? 6a00 6a00 ff15???????? }
            // n = 6, score = 200
            //   8b4d14               | imul                esp, dword ptr [ebp + 0x72], 0x6e656761
            //   51                   | je                  0x38
            //   68????????           |                     
            //   6a00                 | js                  0x72
            //   6a00                 | dec                 eax
            //   ff15????????         |                     

        $sequence_35 = { 8b5508 898a04010000 c7857cffffff00000000 eb0f 8b857cffffff }
            // n = 5, score = 200
            //   8b5508               | cli                 
            //   898a04010000         | cli                 
            //   c7857cffffff00000000     | cli    
            //   eb0f                 | cli                 
            //   8b857cffffff         | jae                 0x72

        $sequence_36 = { 03048a 8b957cdfffff 6bd268 8d8c1510eaffff 8b9578dfffff 890491 e9???????? }
            // n = 7, score = 200
            //   03048a               | inc                 ecx
            //   8b957cdfffff         | mov                 esp, eax
            //   6bd268               | inc                 ebp
            //   8d8c1510eaffff       | test                esp, esp
            //   8b9578dfffff         | jne                 0xd
            //   890491               | dec                 ecx
            //   e9????????           |                     

        $sequence_37 = { 40 00e0 49 40 00044a 40 }
            // n = 6, score = 200
            //   40                   | js                  0x6c
            //   00e0                 | dec                 ecx
            //   49                   | push                ebx
            //   40                   | push                ebx
            //   00044a               | push                esi
            //   40                   | inc                 ebx

        $sequence_38 = { 41 89c4 45 85e4 7508 }
            // n = 5, score = 100
            //   41                   | cli                 
            //   89c4                 | cli                 
            //   45                   | cli                 
            //   85e4                 | jb                  0x71
            //   7508                 | outsb               dx, byte ptr [esi]

        $sequence_39 = { 33c5 8945fc 6804010000 8d85c8feffff }
            // n = 4, score = 100
            //   33c5                 | int3                
            //   8945fc               | dec                 esp
            //   6804010000           | lea                 eax, dword ptr [0x1126c]
            //   8d85c8feffff         | dec                 ecx

        $sequence_40 = { 8bf0 85f6 0f8480000000 33c9 85f6 }
            // n = 5, score = 100
            //   8bf0                 | lea                 ecx, dword ptr [0x10c95]
            //   85f6                 | dec                 eax
            //   0f8480000000         | test                eax, eax
            //   33c9                 | je                  0x1e
            //   85f6                 | inc                 eax

        $sequence_41 = { 8d44243c 50 ffd3 8d44243c 50 ff15???????? }
            // n = 6, score = 100
            //   8d44243c             | lea                 eax, dword ptr [0x11374]
            //   50                   | dec                 eax
            //   ffd3                 | mov                 ecx, ebp
            //   8d44243c             | inc                 ecx
            //   50                   | mov                 edx, esp
            //   ff15????????         |                     

        $sequence_42 = { 743d 6a10 8d442410 50 56 6803000010 57 }
            // n = 7, score = 100
            //   743d                 | inc                 ecx
            //   6a10                 | mov                 eax, 0x12010
            //   8d442410             | dec                 eax
            //   50                   | mov                 ecx, ebp
            //   56                   | inc                 ecx
            //   6803000010           | mov                 esp, 0x314
            //   57                   | dec                 esp

        $sequence_43 = { 0fb785c2feffff 50 0fb785c0feffff 50 0fb785befeffff }
            // n = 5, score = 100
            //   0fb785c2feffff       | mov                 edx, esp
            //   50                   | dec                 eax
            //   0fb785c0feffff       | test                eax, eax
            //   50                   | je                  0x1e
            //   0fb785befeffff       | dec                 eax

        $sequence_44 = { 25ff0f0000 0306 50 ff7510 53 }
            // n = 5, score = 100
            //   25ff0f0000           | outsb               dx, byte ptr [esi]
            //   0306                 | jbe                 0x6b
            //   50                   | jb                  0x73
            //   ff7510               | outsb               dx, byte ptr [esi]
            //   53                   | insd                dword ptr es:[edi], dx

        $sequence_45 = { 6a00 56 ff15???????? 0fb7c0 c1e010 50 ff15???????? }
            // n = 7, score = 100
            //   6a00                 | mov                 edx, esp
            //   56                   | dec                 eax
            //   ff15????????         |                     
            //   0fb7c0               | mov                 ecx, ebp
            //   c1e010               | xor                 edx, edx
            //   50                   | xor                 ecx, ecx
            //   ff15????????         |                     

        $sequence_46 = { 48 894500 49 8bb8a8000000 4d }
            // n = 5, score = 100
            //   48                   | outsb               dx, byte ptr gs:[esi]
            //   894500               | je                  4
            //   49                   | cli                 
            //   8bb8a8000000         | cli                 
            //   4d                   | cli                 

        $sequence_47 = { 49 8b7520 4c 89e9 4c }
            // n = 5, score = 100
            //   49                   | insd                dword ptr es:[edi], dx
            //   8b7520               | outsb               dx, byte ptr gs:[esi]
            //   4c                   | je                  5
            //   89e9                 | jbe                 0x6b
            //   4c                   | jb                  0x73

        $sequence_48 = { 8d45f0 50 8d45fc 50 56 bf06000200 }
            // n = 6, score = 100
            //   8d45f0               | cli                 
            //   50                   | cli                 
            //   8d45fc               | outsb               dx, byte ptr [esi]
            //   50                   | insd                dword ptr es:[edi], dx
            //   56                   | outsb               dx, byte ptr gs:[esi]
            //   bf06000200           | je                  4

        $sequence_49 = { 6a01 8d442418 50 c744241c01000600 c744242000010000 89742424 ff15???????? }
            // n = 7, score = 100
            //   6a01                 | dec                 eax
            //   8d442418             | mov                 dword ptr [esp + 0x20], esi
            //   50                   | int3                
            //   c744241c01000600     | dec                 esp
            //   c744242000010000     | lea                 eax, dword ptr [0x1126c]
            //   89742424             | dec                 ecx
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 417792
}
[TLP:WHITE] win_microcin_w0   (20170413 | Malware sample mentioned in Microcin technical report by Kaspersky)
import "pe"

rule win_microcin_w0 {
    meta:
        description = "Malware sample mentioned in Microcin technical report by Kaspersky"
        author = "Florian Roth"
        reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
        date = "2017-09-26"
        hash = "49816eefcd341d7a9c1715e1f89143862d4775ba4f9730397a1e8529f5f5e200"
        hash = "a73f8f76a30ad5ab03dd503cc63de3a150e6ab75440c1060d75addceb4270f46"
        hash = "9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_version = "20170413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "e Class Descriptor at (" fullword ascii
        $s2 = ".?AVCAntiAntiAppleFrameRealClass@@" fullword ascii
        $s3 = ".?AVCAntiAntiAppleFrameBaseClass@@" fullword ascii
        $s4 = ".?AVCAppleBinRealClass@@" fullword ascii
        $s5 = ".?AVCAppleBinBaseClass@@" fullword ascii
    condition:
        uint16(0) == 0x5a4d and filesize < 300KB and (4 of them or pe.imphash() == "897077ca318eaf629cfe74569f10e023")
}
Download all Yara Rules