SYMBOLCOMMON_NAMEaka. SYNONYMS
win.microcin (Back to overview)

Microcin


There is no description at this point.

References
2021-03-10ESET ResearchThomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020-06-19Kaspersky LabsDenis Legezo
@online{legezo:20200619:microcin:122f2ca, author = {Denis Legezo}, title = {{Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock}}, date = {2020-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/microcin-is-here/97353/}, language = {English}, urldate = {2020-06-21} } Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock
Microcin
2020-05-18Github (dlegezo)Denis Legezo
@online{legezo:20200518:microcin:b3147b6, author = {Denis Legezo}, title = {{Microcin Decryptor}}, date = {2020-05-18}, organization = {Github (dlegezo)}, url = {https://github.com/dlegezo/common}, language = {English}, urldate = {2020-05-19} } Microcin Decryptor
Microcin
2020-05-14ESET ResearchPeter Kálnai
@online{klnai:20200514:mikroceen:b259a8c, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/}, language = {English}, urldate = {2020-05-14} } Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
BYEBY Microcin Microcin
2020-05-14Avast DecodedLuigino Camastra
@online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Microcin Microcin
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2017-11-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@techreport{berdnikov:20171125:microcin:69e0ae0, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE}}, date = {2017-11-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf}, language = {English}, urldate = {2020-04-06} } MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE
Microcin Microcin
2017-09-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@online{berdnikov:20170925:simple:62b80bb, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/}, language = {English}, urldate = {2019-12-20} } A simple example of a complex cyberattack
Microcin Microcin
Yara Rules
[TLP:WHITE] win_microcin_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_microcin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7e18 80bc35a8feffff3a 741f 8d85a8feffff 46 50 ffd3 }
            // n = 7, score = 400
            //   7e18                 | jle                 0x1a
            //   80bc35a8feffff3a     | cmp                 byte ptr [ebp + esi - 0x158], 0x3a
            //   741f                 | je                  0x21
            //   8d85a8feffff         | lea                 eax, [ebp - 0x158]
            //   46                   | inc                 esi
            //   50                   | push                eax
            //   ffd3                 | call                ebx

        $sequence_1 = { 488bc6 488b8df0040000 4833cc e8???????? 4881c400060000 }
            // n = 5, score = 400
            //   488bc6               | mov                 dword ptr [esi + 0x14], 1
            //   488b8df0040000       | dec                 ebp
            //   4833cc               | lea                 eax, [esi + 0x80]
            //   e8????????           |                     
            //   4881c400060000       | inc                 ecx

        $sequence_2 = { 56 ff15???????? 85c0 0f45f7 }
            // n = 4, score = 400
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f45f7               | cmovne              esi, edi

        $sequence_3 = { 50 ffd3 85c0 7e18 80bc35a8feffff3a }
            // n = 5, score = 400
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   7e18                 | jle                 0x1a
            //   80bc35a8feffff3a     | cmp                 byte ptr [ebp + esi - 0x158], 0x3a

        $sequence_4 = { 4863c8 c6840d8002000045 488d8d80020000 ff15???????? 4863c8 c6840d8002000034 }
            // n = 6, score = 400
            //   4863c8               | mov                 dword ptr [eax], eax
            //   c6840d8002000045     | dec                 ecx
            //   488d8d80020000       | mov                 dword ptr [esi + 0x88], esi
            //   ff15????????         |                     
            //   4863c8               | dec                 eax
            //   c6840d8002000034     | mov                 eax, esi

        $sequence_5 = { 6805100000 68ffff0000 56 8b35???????? ffd6 }
            // n = 5, score = 400
            //   6805100000           | push                0x1005
            //   68ffff0000           | push                0xffff
            //   56                   | push                esi
            //   8b35????????         |                     
            //   ffd6                 | call                esi

        $sequence_6 = { ff15???????? 8b1d???????? 8d85a8feffff 50 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   8b1d????????         |                     
            //   8d85a8feffff         | lea                 eax, [ebp - 0x158]
            //   50                   | push                eax

        $sequence_7 = { 895e10 c7461401000000 4d8d8680000000 418900 4989b688000000 }
            // n = 5, score = 400
            //   895e10               | xor                 edx, edx
            //   c7461401000000       | dec                 ecx
            //   4d8d8680000000       | lea                 ecx, [esi + 0x70]
            //   418900               | test                eax, eax
            //   4989b688000000       | mov                 dword ptr [esi + 0x10], ebx

        $sequence_8 = { 897e04 5b 5f 5e 5d c20400 55 }
            // n = 7, score = 400
            //   897e04               | mov                 dword ptr [esi + 4], edi
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   55                   | push                ebp

        $sequence_9 = { 83c40c 8d85f8feffff 6804010000 50 ff15???????? 8d85f8feffff }
            // n = 6, score = 400
            //   83c40c               | add                 esp, 0xc
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]

        $sequence_10 = { b8f5ffffff eb13 b8fcffffff eb0c b8fdffffff eb05 }
            // n = 6, score = 400
            //   b8f5ffffff           | dec                 eax
            //   eb13                 | lea                 ecx, [esp + 0x60]
            //   b8fcffffff           | dec                 eax
            //   eb0c                 | arpl                ax, cx
            //   b8fdffffff           | dec                 eax
            //   eb05                 | lea                 ecx, [esp + 0x60]

        $sequence_11 = { 488bcb 664489642438 488bf0 ff15???????? 0fb7cf 8944243c ff15???????? }
            // n = 7, score = 400
            //   488bcb               | dec                 eax
            //   664489642438         | mov                 ecx, ebx
            //   488bf0               | inc                 sp
            //   ff15????????         |                     
            //   0fb7cf               | mov                 dword ptr [esp + 0x38], esp
            //   8944243c             | dec                 eax
            //   ff15????????         |                     

        $sequence_12 = { 4863c8 807c0c5f5c 7413 488d4c2460 }
            // n = 4, score = 400
            //   4863c8               | arpl                ax, cx
            //   807c0c5f5c           | mov                 byte ptr [ebp + ecx + 0x280], 0x45
            //   7413                 | dec                 eax
            //   488d4c2460           | lea                 ecx, [ebp + 0x280]

        $sequence_13 = { ff15???????? 85c0 7426 8b400c }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7426                 | je                  0x28
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]

        $sequence_14 = { 33d2 498d4e70 ff15???????? 85c0 }
            // n = 4, score = 400
            //   33d2                 | mov                 esi, eax
            //   498d4e70             | movzx               ecx, di
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [esp + 0x3c], eax

        $sequence_15 = { 7413 488d4c2460 ff15???????? 4863c8 }
            // n = 4, score = 400
            //   7413                 | dec                 eax
            //   488d4c2460           | mov                 ecx, dword ptr [ebp + 0x4f0]
            //   ff15????????         |                     
            //   4863c8               | dec                 eax

        $sequence_16 = { 4c8d0535120100 33c0 498bd0 3b0a 740e }
            // n = 5, score = 200
            //   4c8d0535120100       | inc                 ecx
            //   33c0                 | mov                 dword ptr [esi + 0x84], 4
            //   498bd0               | inc                 ebp
            //   3b0a                 | xor                 ecx, ecx
            //   740e                 | xor                 edx, edx

        $sequence_17 = { 8b55ec 52 ff15???????? 8b4df0 }
            // n = 4, score = 200
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]

        $sequence_18 = { 4883c428 c3 4883ec28 e8???????? 4885c0 740a }
            // n = 6, score = 200
            //   4883c428             | lea                 ecx, [esi + 0x70]
            //   c3                   | test                eax, eax
            //   4883ec28             | dec                 eax
            //   e8????????           |                     
            //   4885c0               | mov                 ecx, ebx
            //   740a                 | dec                 eax

        $sequence_19 = { 8a4c181c 888818384100 40 ebe9 }
            // n = 4, score = 200
            //   8a4c181c             | mov                 cl, byte ptr [eax + ebx + 0x1c]
            //   888818384100         | mov                 byte ptr [eax + 0x413818], cl
            //   40                   | inc                 eax
            //   ebe9                 | jmp                 0xffffffeb

        $sequence_20 = { 51 8b4508 8945fc 8b4dfc 8b11 8b4dfc }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_21 = { 00644b40 008c4b40008a46 0323 d188470383ee }
            // n = 4, score = 200
            //   00644b40             | add                 byte ptr [ebx + ecx*2 + 0x40], ah
            //   008c4b40008a46       | add                 byte ptr [ebx + ecx*2 + 0x468a0040], cl
            //   0323                 | add                 esp, dword ptr [ebx]
            //   d188470383ee         | ror                 dword ptr [eax - 0x117cfcb9], 1

        $sequence_22 = { 85c0 752a 4c8d0502130100 8bd7 498bcd e8???????? 85c0 }
            // n = 7, score = 200
            //   85c0                 | inc                 ecx
            //   752a                 | mov                 dword ptr [esi + 0x84], 4
            //   4c8d0502130100       | inc                 ebp
            //   8bd7                 | xor                 ecx, ecx
            //   498bcd               | xor                 edx, edx
            //   e8????????           |                     
            //   85c0                 | dec                 ecx

        $sequence_23 = { 668935???????? 498bd5 ff15???????? 418d7c24e7 85c0 752a 4c8d0502130100 }
            // n = 7, score = 200
            //   668935????????       |                     
            //   498bd5               | dec                 ecx
            //   ff15????????         |                     
            //   418d7c24e7           | lea                 ecx, [esi + 0x70]
            //   85c0                 | test                eax, eax
            //   752a                 | dec                 eax
            //   4c8d0502130100       | mov                 ecx, ebx

        $sequence_24 = { fa fa fa fa }
            // n = 4, score = 200
            //   fa                   | js                  0x6c
            //   fa                   | jae                 0x72
            //   fa                   | imul                esp, dword ptr [ebp + 0x72], 0x6e656761
            //   fa                   | je                  0x30

        $sequence_25 = { 6828010000 8d85ccfeffff 6a00 50 }
            // n = 4, score = 200
            //   6828010000           | mov                 edx, dword ptr [ecx]
            //   8d85ccfeffff         | mov                 ecx, dword ptr [ebp - 4]
            //   6a00                 | cmp                 dword ptr [ebp + edx*4 - 0x188], 0
            //   50                   | jge                 0x3e

        $sequence_26 = { 8bec 8b4508 56 8d34c5c0304100 833e00 }
            // n = 5, score = 200
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   8d34c5c0304100       | lea                 esi, [eax*8 + 0x4130c0]
            //   833e00               | cmp                 dword ptr [esi], 0

        $sequence_27 = { 83bc9578feffff00 7d34 8b857cffffff 8b8c8578feffff 83c104 8b957cffffff }
            // n = 6, score = 200
            //   83bc9578feffff00     | cmp                 dword ptr [ebp + edx*4 - 0x188], 0
            //   7d34                 | jge                 0x36
            //   8b857cffffff         | mov                 eax, dword ptr [ebp - 0x84]
            //   8b8c8578feffff       | mov                 ecx, dword ptr [ebp + eax*4 - 0x188]
            //   83c104               | add                 ecx, 4
            //   8b957cffffff         | mov                 edx, dword ptr [ebp - 0x84]

        $sequence_28 = { 7370 696465726167656e 742e 657865 }
            // n = 4, score = 200
            //   7370                 | mov                 ecx, dword ptr [ebp - 4]
            //   696465726167656e     | mov                 dword ptr [eax + 0x20], ecx
            //   742e                 | mov                 edx, dword ptr [ebp - 8]
            //   657865               | add                 edx, 8

        $sequence_29 = { cc 4c8d056c120100 498bd4 488bcd e8???????? 85c0 }
            // n = 6, score = 200
            //   cc                   | dec                 eax
            //   4c8d056c120100       | mov                 ecx, dword ptr [ebx + 0xc0]
            //   498bd4               | nop                 
            //   488bcd               | dec                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 ecx, dword ptr [ebx + 0xa8]

        $sequence_30 = { 636373 7673 6873742e65 7865 }
            // n = 4, score = 200
            //   636373               | mov                 byte ptr [eax + 0x413818], cl
            //   7673                 | inc                 eax
            //   6873742e65           | jmp                 0xfffffff2
            //   7865                 | mov                 eax, dword ptr [ebp - 8]

        $sequence_31 = { 498bcd e8???????? 4c8d05b7120100 41b903000000 }
            // n = 4, score = 200
            //   498bcd               | mov                 ecx, dword ptr [ebp + 0x1b0]
            //   e8????????           |                     
            //   4c8d05b7120100       | dec                 eax
            //   41b903000000         | xor                 ecx, esp

        $sequence_32 = { 45 6e 7669 726f 6e 6d 656e }
            // n = 7, score = 200
            //   45                   | push                edx
            //   6e                   | jns                 7
            //   7669                 | dec                 ecx
            //   726f                 | or                  ecx, 0xfffffff8
            //   6e                   | inc                 ecx
            //   6d                   | mov                 byte ptr [ebp - 6], cl
            //   656e                 | mov                 edx, dword ptr [ebp + 0xc]

        $sequence_33 = { 8b45f8 8b4dfc 894820 8b55f8 83c208 52 ff15???????? }
            // n = 7, score = 200
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   894820               | mov                 dword ptr [eax + 0x20], ecx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   83c208               | add                 edx, 8
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_34 = { 744c 8b55f8 6bd268 035510 8b45fc 6bc068 }
            // n = 6, score = 200
            //   744c                 | je                  0x4e
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   6bd268               | imul                edx, edx, 0x68
            //   035510               | add                 edx, dword ptr [ebp + 0x10]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   6bc068               | imul                eax, eax, 0x68

        $sequence_35 = { 49 53 53 56 43 }
            // n = 5, score = 200
            //   49                   | mov                 eax, dword ptr [ebp - 0x84]
            //   53                   | mov                 ecx, dword ptr [ebp + eax*4 - 0x188]
            //   53                   | add                 ecx, 4
            //   56                   | mov                 edx, dword ptr [ebp - 0x84]
            //   43                   | mov                 cl, byte ptr [eax + ebx + 0x1c]

        $sequence_36 = { 4533c0 418d5001 e9???????? 4053 4883ec20 8bd9 e8???????? }
            // n = 7, score = 200
            //   4533c0               | mov                 ecx, eax
            //   418d5001             | dec                 esp
            //   e9????????           |                     
            //   4053                 | lea                 eax, [0x11235]
            //   4883ec20             | xor                 eax, eax
            //   8bd9                 | dec                 ecx
            //   e8????????           |                     

        $sequence_37 = { 488d0d950c0100 ff15???????? 4885c0 7419 488d15730c0100 488bc8 }
            // n = 6, score = 200
            //   488d0d950c0100       | cmovne              esi, edi
            //   ff15????????         |                     
            //   4885c0               | lea                 eax, [ebp - 0x54]
            //   7419                 | push                eax
            //   488d15730c0100       | push                0x80000001
            //   488bc8               | test                eax, eax

        $sequence_38 = { 8d44243c 50 ffd3 8d44243c 50 }
            // n = 5, score = 100
            //   8d44243c             | push                ebp
            //   50                   | mov                 ebp, esp
            //   ffd3                 | xor                 ecx, ecx
            //   8d44243c             | cmp                 dword ptr [ebp + 0xc], ecx
            //   50                   | jbe                 0x2c

        $sequence_39 = { 4c 89ce eb02 33ff 48 89da }
            // n = 6, score = 100
            //   4c                   | imul                esp, dword ptr [ebp + 0x72], 0x6e656761
            //   89ce                 | je                  0x38
            //   eb02                 | js                  0x72
            //   33ff                 | jbe                 0x6b
            //   48                   | jb                  0x71
            //   89da                 | outsb               dx, byte ptr [esi]

        $sequence_40 = { 660f7f45d0 660fd645e0 c745e800000000 66c745ec0000 ff15???????? }
            // n = 5, score = 100
            //   660f7f45d0           | mov                 dl, byte ptr [ebp + 0x10]
            //   660fd645e0           | push                esi
            //   c745e800000000       | push                dword ptr [ebp + 0x10]
            //   66c745ec0000         | push                dword ptr [ebp + 0xc]
            //   ff15????????         |                     

        $sequence_41 = { 7424 8d85ccfeffff 50 56 }
            // n = 4, score = 100
            //   7424                 | je                  0x24
            //   8d85ccfeffff         | jne                 0xffffffcd
            //   50                   | push                edi
            //   56                   | push                esi

        $sequence_42 = { 7422 68???????? 68???????? ff15???????? e8???????? }
            // n = 5, score = 100
            //   7422                 | outsb               dx, byte ptr gs:[esi]
            //   68????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   e8????????           |                     

        $sequence_43 = { 5a 48 8b4500 48 }
            // n = 4, score = 100
            //   5a                   | insd                dword ptr es:[edi], dx
            //   48                   | outsb               dx, byte ptr gs:[esi]
            //   8b4500               | jbe                 0x6b
            //   48                   | jb                  0x71

        $sequence_44 = { 75cb 57 ff15???????? 56 8d44245c }
            // n = 5, score = 100
            //   75cb                 | outsb               dx, byte ptr [esi]
            //   57                   | insd                dword ptr es:[edi], dx
            //   ff15????????         |                     
            //   56                   | outsb               dx, byte ptr gs:[esi]
            //   8d44245c             | je                  5

        $sequence_45 = { ff7510 ff750c ffd7 ff7518 }
            // n = 4, score = 100
            //   ff7510               | cli                 
            //   ff750c               | cli                 
            //   ffd7                 | cli                 
            //   ff7518               | cli                 

        $sequence_46 = { 6a00 6800000080 6a00 6800000080 680000cf00 68???????? 8d842480000000 }
            // n = 7, score = 100
            //   6a00                 | call                edi
            //   6800000080           | push                dword ptr [ebp + 0x18]
            //   6a00                 | push                esi
            //   6800000080           | push                esi
            //   680000cf00           | push                dword ptr [ebp - 4]
            //   68????????           |                     
            //   8d842480000000       | call                dword ptr [ebp - 0x14]

        $sequence_47 = { 50 ff35???????? ff15???????? 50 ff15???????? 50 6a00 }
            // n = 7, score = 100
            //   50                   | push                0x128
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   50                   | lea                 eax, [ebp - 0x134]
            //   ff15????????         |                     
            //   50                   | push                0
            //   6a00                 | push                eax

        $sequence_48 = { 8b9f98000000 8d541f05 3bc2 7609 83c705 }
            // n = 5, score = 100
            //   8b9f98000000         | outsb               dx, byte ptr [esi]
            //   8d541f05             | insd                dword ptr es:[edi], dx
            //   3bc2                 | outsb               dx, byte ptr gs:[esi]
            //   7609                 | je                  8
            //   83c705               | jae                 0x72

        $sequence_49 = { 55 8bec 33c9 394d0c 7623 8a5510 56 }
            // n = 7, score = 100
            //   55                   | jb                  0x71
            //   8bec                 | outsb               dx, byte ptr [esi]
            //   33c9                 | insd                dword ptr es:[edi], dx
            //   394d0c               | outsb               dx, byte ptr gs:[esi]
            //   7623                 | je                  8
            //   8a5510               | cli                 
            //   56                   | cli                 

    condition:
        7 of them and filesize < 417792
}
[TLP:WHITE] win_microcin_w0   (20170413 | Malware sample mentioned in Microcin technical report by Kaspersky)
import "pe"

rule win_microcin_w0 {
    meta:
        description = "Malware sample mentioned in Microcin technical report by Kaspersky"
        author = "Florian Roth"
        reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
        date = "2017-09-26"
        hash = "49816eefcd341d7a9c1715e1f89143862d4775ba4f9730397a1e8529f5f5e200"
        hash = "a73f8f76a30ad5ab03dd503cc63de3a150e6ab75440c1060d75addceb4270f46"
        hash = "9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_version = "20170413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "e Class Descriptor at (" fullword ascii
        $s2 = ".?AVCAntiAntiAppleFrameRealClass@@" fullword ascii
        $s3 = ".?AVCAntiAntiAppleFrameBaseClass@@" fullword ascii
        $s4 = ".?AVCAppleBinRealClass@@" fullword ascii
        $s5 = ".?AVCAppleBinBaseClass@@" fullword ascii
    condition:
        uint16(0) == 0x5a4d and filesize < 300KB and (4 of them or pe.imphash() == "897077ca318eaf629cfe74569f10e023")
}
Download all Yara Rules