SYMBOLCOMMON_NAMEaka. SYNONYMS
win.microcin (Back to overview)

Microcin


There is no description at this point.

References
2021-03-10ESET ResearchThomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020-06-19Kaspersky LabsDenis Legezo
@online{legezo:20200619:microcin:122f2ca, author = {Denis Legezo}, title = {{Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock}}, date = {2020-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/microcin-is-here/97353/}, language = {English}, urldate = {2020-06-21} } Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock
Microcin
2020-05-18Github (dlegezo)Denis Legezo
@online{legezo:20200518:microcin:b3147b6, author = {Denis Legezo}, title = {{Microcin Decryptor}}, date = {2020-05-18}, organization = {Github (dlegezo)}, url = {https://github.com/dlegezo/common}, language = {English}, urldate = {2020-05-19} } Microcin Decryptor
Microcin
2020-05-14ESET ResearchPeter Kálnai
@online{klnai:20200514:mikroceen:b259a8c, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/}, language = {English}, urldate = {2020-05-14} } Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
BYEBY Microcin Microcin
2020-05-14Avast DecodedLuigino Camastra
@online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Microcin Microcin
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2017-11-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@techreport{berdnikov:20171125:microcin:69e0ae0, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE}}, date = {2017-11-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf}, language = {English}, urldate = {2020-04-06} } MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE
Microcin Microcin
2017-09-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@online{berdnikov:20170925:simple:62b80bb, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/}, language = {English}, urldate = {2019-12-20} } A simple example of a complex cyberattack
Microcin Microcin
Yara Rules
[TLP:WHITE] win_microcin_auto (20211008 | Detects win.microcin.)
rule win_microcin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.microcin."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b8db0010000 4833cc e8???????? 488b9c24d8020000 }
            // n = 4, score = 400
            //   488b8db0010000       | movdqa              xmmword ptr [ebp - 0x50], xmm1
            //   4833cc               | dec                 eax
            //   e8????????           |                     
            //   488b9c24d8020000     | arpl                ax, cx

        $sequence_1 = { 488d8d80020000 ff15???????? 4863c8 c6840d8002000068 488d8d80020000 ff15???????? 4863c8 }
            // n = 7, score = 400
            //   488d8d80020000       | dec                 eax
            //   ff15????????         |                     
            //   4863c8               | lea                 ecx, dword ptr [ebp + 0x280]
            //   c6840d8002000068     | dec                 eax
            //   488d8d80020000       | arpl                ax, cx
            //   ff15????????         |                     
            //   4863c8               | mov                 byte ptr [ebp + ecx + 0x280], 0x68

        $sequence_2 = { ffd3 85c0 7e18 80bc35a8feffff3a 741f }
            // n = 5, score = 400
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   7e18                 | jle                 0x1a
            //   80bc35a8feffff3a     | cmp                 byte ptr [ebp + esi - 0x158], 0x3a
            //   741f                 | je                  0x21

        $sequence_3 = { e8???????? ff75d4 e8???????? 83c40c 8bc7 }
            // n = 5, score = 400
            //   e8????????           |                     
            //   ff75d4               | push                dword ptr [ebp - 0x2c]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8bc7                 | mov                 eax, edi

        $sequence_4 = { 488bf8 488bc8 ff15???????? 85c0 740c 488bd7 }
            // n = 6, score = 400
            //   488bf8               | dec                 eax
            //   488bc8               | lea                 ecx, dword ptr [ebp + 0x280]
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   740c                 | arpl                ax, cx
            //   488bd7               | dec                 eax

        $sequence_5 = { 7515 c74424484c773373 c744244c31674d5a e9???????? c744244849734541 }
            // n = 5, score = 400
            //   7515                 | mov                 byte ptr [ebp + ecx + 0x280], 0x33
            //   c74424484c773373     | dec                 eax
            //   c744244c31674d5a     | lea                 ecx, dword ptr [ebp + 0x280]
            //   e9????????           |                     
            //   c744244849734541     | inc                 esp

        $sequence_6 = { ff15???????? 4863c8 c6840d8002000033 488d8d80020000 ff15???????? }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   4863c8               | lea                 ecx, dword ptr [ebp + 0x280]
            //   c6840d8002000033     | dec                 eax
            //   488d8d80020000       | arpl                ax, cx
            //   ff15????????         |                     

        $sequence_7 = { 8d45ac 50 6801000080 ff15???????? }
            // n = 4, score = 400
            //   8d45ac               | lea                 eax, dword ptr [ebp - 0x54]
            //   50                   | push                eax
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     

        $sequence_8 = { 56 ff15???????? 85c0 0f45f7 }
            // n = 4, score = 400
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f45f7               | cmovne              esi, edi

        $sequence_9 = { ff15???????? 8b3d???????? 8d85e0feffff 50 ffd7 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   8d85e0feffff         | lea                 eax, dword ptr [ebp - 0x120]
            //   50                   | push                eax
            //   ffd7                 | call                edi

        $sequence_10 = { 50 6805100000 68ffff0000 56 8b35???????? }
            // n = 5, score = 400
            //   50                   | push                eax
            //   6805100000           | push                0x1005
            //   68ffff0000           | push                0xffff
            //   56                   | push                esi
            //   8b35????????         |                     

        $sequence_11 = { 8b1d???????? 8d85a8feffff 50 ffd3 }
            // n = 4, score = 400
            //   8b1d????????         |                     
            //   8d85a8feffff         | lea                 eax, dword ptr [ebp - 0x158]
            //   50                   | push                eax
            //   ffd3                 | call                ebx

        $sequence_12 = { ff15???????? 4863c8 c6840d8002000075 488d8d80020000 ff15???????? 4863c8 c6840d8002000076 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   4863c8               | sub                 eax, ebx
            //   c6840d8002000075     | dec                 eax
            //   488d8d80020000       | add                 edx, esi
            //   ff15????????         |                     
            //   4863c8               | inc                 ebp
            //   c6840d8002000076     | xor                 ecx, ecx

        $sequence_13 = { 83c40c 8d85f8feffff 6804010000 50 ff15???????? 8d85f8feffff }
            // n = 6, score = 400
            //   83c40c               | add                 esp, 0xc
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]

        $sequence_14 = { 442bc3 4803d6 4533c9 ff15???????? 85c0 75d9 488b742438 }
            // n = 7, score = 400
            //   442bc3               | mov                 byte ptr [ebp + ecx + 0x280], 0x75
            //   4803d6               | dec                 eax
            //   4533c9               | lea                 ecx, dword ptr [ebp + 0x280]
            //   ff15????????         |                     
            //   85c0                 | movdqa              xmmword ptr [ebp - 0x60], xmm0
            //   75d9                 | movdqa              xmmword ptr [ebp - 0x70], xmm1
            //   488b742438           | movdqa              xmmword ptr [ebp - 0x40], xmm0

        $sequence_15 = { 660f7f45a0 660f6f05???????? 660f7f4d90 660f6f0d???????? 660f7f45c0 660f7f4db0 }
            // n = 6, score = 400
            //   660f7f45a0           | je                  0x10
            //   660f6f05????????     |                     
            //   660f7f4d90           | dec                 eax
            //   660f6f0d????????     |                     
            //   660f7f45c0           | mov                 edx, edi
            //   660f7f4db0           | dec                 eax

        $sequence_16 = { 41bc14030000 4c8d0574130100 488bcd 418bd4 e8???????? 33c9 }
            // n = 6, score = 200
            //   41bc14030000         | dec                 eax
            //   4c8d0574130100       | sub                 esp, 0x20
            //   488bcd               | mov                 ebx, ecx
            //   418bd4               | je                  0x1b
            //   e8????????           |                     
            //   33c9                 | dec                 eax

        $sequence_17 = { 53 53 56 43 }
            // n = 4, score = 200
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   56                   | push                esi
            //   43                   | inc                 ebx

        $sequence_18 = { 4c8d05b7120100 41b903000000 488d4c45bc 488bc1 492bc5 }
            // n = 5, score = 200
            //   4c8d05b7120100       | jmp                 0x13
            //   41b903000000         | mov                 eax, dword ptr [ebp - 0xc]
            //   488d4c45bc           | add                 eax, 1
            //   488bc1               | mov                 dword ptr [ebp - 0xc], eax
            //   492bc5               | test                eax, eax

        $sequence_19 = { 4c8d056c120100 498bd4 488bcd e8???????? 85c0 7541 4c8bc3 }
            // n = 7, score = 200
            //   4c8d056c120100       | inc                 ebp
            //   498bd4               | xor                 eax, eax
            //   488bcd               | inc                 ecx
            //   e8????????           |                     
            //   85c0                 | lea                 edx, dword ptr [eax + 1]
            //   7541                 | inc                 eax
            //   4c8bc3               | push                ebx

        $sequence_20 = { 4c8d0535120100 33c0 498bd0 3b0a 740e ffc0 }
            // n = 6, score = 200
            //   4c8d0535120100       | dec                 eax
            //   33c0                 | mov                 ecx, ebp
            //   498bd0               | test                eax, eax
            //   3b0a                 | jne                 0x1c
            //   740e                 | dec                 eax
            //   ffc0                 | lea                 edx, dword ptr [0x111f8]

        $sequence_21 = { 8b4df0 890c85003c4100 eb14 8b5514 52 }
            // n = 5, score = 200
            //   8b4df0               | add                 edx, 0x4b000
            //   890c85003c4100       | cmp                 ecx, edx
            //   eb14                 | jl                  0xfffffff6
            //   8b5514               | mov                 edx, dword ptr [ebp - 0x10]
            //   52                   | mov                 eax, dword ptr [edx + 0x20]

        $sequence_22 = { ffd2 83c414 8945f0 8b45f4 83c008 50 }
            // n = 6, score = 200
            //   ffd2                 | pop                 ecx
            //   83c414               | and                 dword ptr [ebp - 4], 0
            //   8945f0               | push                dword ptr [esi + 0x68]
            //   8b45f4               | add                 edx, 8
            //   83c008               | push                edx
            //   50                   | push                6

        $sequence_23 = { 7370 696465726167656e 742e 657865 }
            // n = 4, score = 200
            //   7370                 | jae                 0x72
            //   696465726167656e     | imul                esp, dword ptr [ebp + 0x72], 0x6e656761
            //   742e                 | je                  0x30
            //   657865               | js                  0x68

        $sequence_24 = { 7419 488d15730c0100 488bc8 ff15???????? 4885c0 7404 8bcb }
            // n = 7, score = 200
            //   7419                 | jmp                 0x1f
            //   488d15730c0100       | mov                 eax, dword ptr [ebp - 0x84]
            //   488bc8               | add                 eax, 1
            //   ff15????????         |                     
            //   4885c0               | push                esi
            //   7404                 | push                edi
            //   8bcb                 | mov                 dword ptr [ebp - 0xc], 0

        $sequence_25 = { 6828010000 8d85ccfeffff 6a00 50 }
            // n = 4, score = 200
            //   6828010000           | mov                 esi, dword ptr [esp + 0x38]
            //   8d85ccfeffff         | dec                 eax
            //   6a00                 | mov                 ecx, dword ptr [ebp + 0x1b0]
            //   50                   | dec                 eax

        $sequence_26 = { fa fa fa fa fa }
            // n = 5, score = 200
            //   fa                   | cli                 
            //   fa                   | cli                 
            //   fa                   | cli                 
            //   fa                   | cli                 
            //   fa                   | cli                 

        $sequence_27 = { 83ec08 8b4508 0fb608 81e107000080 7905 49 83c9f8 }
            // n = 7, score = 200
            //   83ec08               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4508               | test                eax, eax
            //   0fb608               | jne                 0xd
            //   81e107000080         | mov                 eax, dword ptr [esi + 0xc]
            //   7905                 | mov                 dword ptr [esi + 0x10], eax
            //   49                   | mov                 edx, dword ptr [esi + 0x34]
            //   83c9f8               | inc                 ecx

        $sequence_28 = { 636373 7673 6873742e65 7865 }
            // n = 4, score = 200
            //   636373               | arpl                word ptr [ebx + 0x73], sp
            //   7673                 | jbe                 0x75
            //   6873742e65           | push                0x652e7473
            //   7865                 | js                  0x67

        $sequence_29 = { 726f 6e 6d 656e }
            // n = 4, score = 200
            //   726f                 | jb                  0x71
            //   6e                   | outsb               dx, byte ptr [esi]
            //   6d                   | insd                dword ptr es:[edi], dx
            //   656e                 | outsb               dx, byte ptr gs:[esi]

        $sequence_30 = { 83e902 8b957cffffff 894c9584 c7857cffffff00000000 eb0f 8b857cffffff 83c001 }
            // n = 7, score = 200
            //   83e902               | sub                 esp, 8
            //   8b957cffffff         | mov                 eax, dword ptr [ebp + 8]
            //   894c9584             | movzx               ecx, byte ptr [eax]
            //   c7857cffffff00000000     | and    ecx, 0x80000007
            //   eb0f                 | jns                 0x10
            //   8b857cffffff         | dec                 ecx
            //   83c001               | or                  ecx, 0xfffffff8

        $sequence_31 = { 4889742420 e8???????? cc 4c8d056c120100 498bd4 488bcd }
            // n = 6, score = 200
            //   4889742420           | jne                 0x1e
            //   e8????????           |                     
            //   cc                   | dec                 eax
            //   4c8d056c120100       | lea                 edx, dword ptr [0x111f8]
            //   498bd4               | inc                 ecx
            //   488bcd               | mov                 eax, 0x12010

        $sequence_32 = { e8???????? 85c0 751a 488d15f8110100 41b810200100 488bcd e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   85c0                 | lea                 ecx, dword ptr [ebp - 0xb60]
            //   751a                 | mov                 eax, dword ptr [ebp - 0x208c]
            //   488d15f8110100       | pop                 esi
            //   41b810200100         | call                edx
            //   488bcd               | add                 esp, 0x14
            //   e8????????           |                     

        $sequence_33 = { 6e 7669 726f 6e }
            // n = 4, score = 200
            //   6e                   | outsb               dx, byte ptr [esi]
            //   7669                 | jbe                 0x6b
            //   726f                 | jb                  0x71
            //   6e                   | outsb               dx, byte ptr [esi]

        $sequence_34 = { 83c208 52 ff15???????? 6a06 ff15???????? }
            // n = 5, score = 200
            //   83c208               | push                0
            //   52                   | push                eax
            //   ff15????????         |                     
            //   6a06                 | pop                 ecx
            //   ff15????????         |                     

        $sequence_35 = { 83c410 c78574dfffff00000000 8d8da0f4ffff e8???????? 8b8574dfffff 5e }
            // n = 6, score = 200
            //   83c410               | mov                 dword ptr [ebp - 0xc], eax
            //   c78574dfffff00000000     | mov    ecx, dword ptr [ebp - 0x10]
            //   8d8da0f4ffff         | mov                 byte ptr [esi + 0x14b], 0x43
            //   e8????????           |                     
            //   8b8574dfffff         | mov                 dword ptr [esi + 0x68], 0x4135f8
            //   5e                   | push                0xd

        $sequence_36 = { ff15???????? 8b55f0 8b4220 8945f4 8b4df0 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8b55f0               | cli                 
            //   8b4220               | cli                 
            //   8945f4               | jbe                 0x6b
            //   8b4df0               | jb                  0x71

        $sequence_37 = { 4533c0 418d5001 e9???????? 4053 4883ec20 8bd9 }
            // n = 6, score = 200
            //   4533c0               | push                eax
            //   418d5001             | sub                 ecx, 2
            //   e9????????           |                     
            //   4053                 | mov                 edx, dword ptr [ebp - 0x84]
            //   4883ec20             | mov                 dword ptr [ebp + edx*4 - 0x7c], ecx
            //   8bd9                 | mov                 dword ptr [ebp - 0x84], 0

        $sequence_38 = { c6864b01000043 c74668f8354100 6a0d e8???????? 59 8365fc00 ff7668 }
            // n = 7, score = 200
            //   c6864b01000043       | outsb               dx, byte ptr [esi]
            //   c74668f8354100       | insd                dword ptr es:[edi], dx
            //   6a0d                 | outsb               dx, byte ptr gs:[esi]
            //   e8????????           |                     
            //   59                   | je                  8
            //   8365fc00             | push                0x128
            //   ff7668               | lea                 eax, dword ptr [ebp - 0x134]

        $sequence_39 = { c3 8b04c54c8b4000 5d c3 55 8bec }
            // n = 6, score = 100
            //   c3                   | push                esi
            //   8b04c54c8b4000       | cmp                 eax, 0x89
            //   5d                   | ja                  0x1bd
            //   c3                   | movzx               eax, byte ptr [eax + 0x401830]
            //   55                   | jmp                 dword ptr [eax*4 + 0x4017d8]
            //   8bec                 | lea                 eax, dword ptr [ebp - 0x24]

        $sequence_40 = { 50 ff15???????? 8d85c8feffff 50 ff15???????? 85c0 7518 }
            // n = 7, score = 100
            //   50                   | push                0x128
            //   ff15????????         |                     
            //   8d85c8feffff         | lea                 eax, dword ptr [ebp - 0x134]
            //   50                   | push                0
            //   ff15????????         |                     
            //   85c0                 | push                eax
            //   7518                 | push                eax

        $sequence_41 = { c7442418d0114000 c744241c00000000 c744242000000000 89742424 }
            // n = 4, score = 100
            //   c7442418d0114000     | mov                 dword ptr [esp + 0x4c], 0x5a4d6731
            //   c744241c00000000     | mov                 dword ptr [esp + 0x48], 0x41457349
            //   c744242000000000     | dec                 eax
            //   89742424             | arpl                ax, cx

        $sequence_42 = { 50 6a08 ffd7 8b1d???????? 8bf0 83feff }
            // n = 6, score = 100
            //   50                   | xor                 ecx, esp
            //   6a08                 | dec                 eax
            //   ffd7                 | mov                 ebx, dword ptr [esp + 0x2d8]
            //   8b1d????????         |                     
            //   8bf0                 | jne                 0x17
            //   83feff               | mov                 dword ptr [esp + 0x48], 0x7333774c

        $sequence_43 = { 8d85b8feffff 50 ff15???????? 0fb785c4feffff 50 0fb785c2feffff 50 }
            // n = 7, score = 100
            //   8d85b8feffff         | push                8
            //   50                   | call                edi
            //   ff15????????         |                     
            //   0fb785c4feffff       | mov                 esi, eax
            //   50                   | cmp                 esi, -1
            //   0fb785c2feffff       | mov                 dword ptr [esp + 0x18], 0x4011d0
            //   50                   | mov                 dword ptr [esp + 0x1c], 0

        $sequence_44 = { e8???????? 59 8945f4 85c0 7506 8b460c 894610 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | insd                dword ptr es:[edi], dx
            //   8945f4               | jbe                 0x6b
            //   85c0                 | jb                  0x71
            //   7506                 | outsb               dx, byte ptr [esi]
            //   8b460c               | insd                dword ptr es:[edi], dx
            //   894610               | outsb               dx, byte ptr gs:[esi]

        $sequence_45 = { e8???????? 49 8b4e08 44 2bf8 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   49                   | dec                 ecx
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   44                   | inc                 esp
            //   2bf8                 | sub                 edi, eax

        $sequence_46 = { 895c2500 47 89542504 ebb6 }
            // n = 4, score = 100
            //   895c2500             | mov                 dword ptr [ebp], ebx
            //   47                   | inc                 edi
            //   89542504             | mov                 dword ptr [ebp + 4], edx
            //   ebb6                 | jmp                 0xffffffb8

        $sequence_47 = { 83c428 8d85e8f4ffff 50 ff15???????? 8bf0 33c9 85f6 }
            // n = 7, score = 100
            //   83c428               | mov                 dword ptr [esp + 0x20], 0
            //   8d85e8f4ffff         | mov                 dword ptr [esp + 0x24], esi
            //   50                   | add                 esp, 0xc
            //   ff15????????         |                     
            //   8bf0                 | lea                 eax, dword ptr [ebp - 0x318]
            //   33c9                 | push                0x104
            //   85f6                 | push                eax

        $sequence_48 = { 3d89000000 0f87b2010000 0fb68030184000 ff2485d8174000 68???????? 8d45dc }
            // n = 6, score = 100
            //   3d89000000           | mov                 byte ptr [ebp + ecx + 0x280], 0x76
            //   0f87b2010000         | cmp                 byte ptr [esp + ecx + 0x5f], 0x5c
            //   0fb68030184000       | je                  0x1a
            //   ff2485d8174000       | dec                 eax
            //   68????????           |                     
            //   8d45dc               | lea                 ecx, dword ptr [esp + 0x60]

    condition:
        7 of them and filesize < 417792
}
[TLP:WHITE] win_microcin_w0   (20170413 | Malware sample mentioned in Microcin technical report by Kaspersky)
import "pe"

rule win_microcin_w0 {
    meta:
        description = "Malware sample mentioned in Microcin technical report by Kaspersky"
        author = "Florian Roth"
        reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
        date = "2017-09-26"
        hash = "49816eefcd341d7a9c1715e1f89143862d4775ba4f9730397a1e8529f5f5e200"
        hash = "a73f8f76a30ad5ab03dd503cc63de3a150e6ab75440c1060d75addceb4270f46"
        hash = "9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_version = "20170413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "e Class Descriptor at (" fullword ascii
        $s2 = ".?AVCAntiAntiAppleFrameRealClass@@" fullword ascii
        $s3 = ".?AVCAntiAntiAppleFrameBaseClass@@" fullword ascii
        $s4 = ".?AVCAppleBinRealClass@@" fullword ascii
        $s5 = ".?AVCAppleBinBaseClass@@" fullword ascii
    condition:
        uint16(0) == 0x5a4d and filesize < 300KB and (4 of them or pe.imphash() == "897077ca318eaf629cfe74569f10e023")
}
Download all Yara Rules