There is no description at this point.
rule win_microcin_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.microcin." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff15???????? 8b3d???????? 8d85e0feffff 50 ffd7 } // n = 5, score = 400 // ff15???????? | // 8b3d???????? | // 8d85e0feffff | test eax, eax // 50 | jle 0x1c // ffd7 | cmp byte ptr [ebp + esi - 0x158], 0x3a $sequence_1 = { 488bcb 664489642438 488bf0 ff15???????? } // n = 4, score = 400 // 488bcb | cmp byte ptr [ebp + esi - 0x158], 0x3a // 664489642438 | je 0x30 // 488bf0 | push eax // ff15???????? | $sequence_2 = { ff75d4 e8???????? 83c40c 8bc7 } // n = 4, score = 400 // ff75d4 | cmp byte ptr [ebp + esi - 0x158], 0x3a // e8???????? | // 83c40c | test eax, eax // 8bc7 | je 0x2a $sequence_3 = { 488bc6 488b8df0040000 4833cc e8???????? 4881c400060000 415f 415e } // n = 7, score = 400 // 488bc6 | push eax // 488b8df0040000 | call ebx // 4833cc | test eax, eax // e8???????? | // 4881c400060000 | jle 0x1e // 415f | cmp byte ptr [ebp + esi - 0x158], 0x3a // 415e | je 0x2f $sequence_4 = { 6a10 50 56 ff15???????? 85c0 0f45f7 } // n = 6, score = 400 // 6a10 | jle 0x1c // 50 | cmp byte ptr [ebp + esi - 0x158], 0x3a // 56 | je 0x2d // ff15???????? | // 85c0 | lea eax, [ebp - 0x158] // 0f45f7 | lea eax, [ebp - 0x158] $sequence_5 = { 488d4d90 ff15???????? 4863c8 807c0d8f5c 7412 488d4d90 ff15???????? } // n = 7, score = 400 // 488d4d90 | push 0x1005 // ff15???????? | // 4863c8 | push 0xffff // 807c0d8f5c | push esi // 7412 | call esi // 488d4d90 | lea eax, [ebp - 0x54] // ff15???????? | $sequence_6 = { 4863c8 c6840d8002000077 488d8d80020000 ff15???????? 4863c8 c6840d8002000075 } // n = 6, score = 400 // 4863c8 | lea eax, [ebp - 0x108] // c6840d8002000077 | push 0x104 // 488d8d80020000 | push eax // ff15???????? | // 4863c8 | lea eax, [ebp - 0x108] // c6840d8002000075 | push eax $sequence_7 = { ffd3 85c0 7e18 80bc35a8feffff3a 741f 8d85a8feffff } // n = 6, score = 400 // ffd3 | add eax, 0xffffff44 // 85c0 | push 0xe // 7e18 | sar edx, cl // 80bc35a8feffff3a | movzx eax, byte ptr [ebp - 2] // 741f | add eax, edx // 8d85a8feffff | mov byte ptr [ebp - 2], al $sequence_8 = { 6804010000 50 ff15???????? 8d85f8feffff } // n = 4, score = 400 // 6804010000 | push eax // 50 | push 0x104 // ff15???????? | // 8d85f8feffff | lea eax, [ebp - 0x110] $sequence_9 = { ffc3 48ffc7 ff15???????? 3bd8 7ce8 } // n = 5, score = 400 // ffc3 | push eax // 48ffc7 | push 0x80000001 // ff15???????? | // 3bd8 | test eax, eax // 7ce8 | push 0x1005 $sequence_10 = { 488d8d80020000 ff15???????? 4863c8 c6840d8002000076 488d8d80020000 ff15???????? 4863c8 } // n = 7, score = 400 // 488d8d80020000 | xor esi, esi // ff15???????? | // 4863c8 | push eax // c6840d8002000076 | call ebx // 488d8d80020000 | test eax, eax // ff15???????? | // 4863c8 | jle 0x1f $sequence_11 = { 4833c4 488985f0040000 4c8b3d???????? 4533c0 8bfa } // n = 5, score = 400 // 4833c4 | push 0xffff // 488985f0040000 | push esi // 4c8b3d???????? | // 4533c0 | push esi // 8bfa | test eax, eax $sequence_12 = { 488d4c2460 ff15???????? 4863c8 807c0c5f5c } // n = 4, score = 400 // 488d4c2460 | push 0x1005 // ff15???????? | // 4863c8 | push 0xffff // 807c0c5f5c | push esi $sequence_13 = { 68ffff0000 56 8b35???????? ffd6 } // n = 4, score = 400 // 68ffff0000 | lea eax, [0x112b7] // 56 | inc ecx // 8b35???????? | // ffd6 | mov ecx, 3 $sequence_14 = { 8b1d???????? 8d85a8feffff 50 ffd3 85c0 } // n = 5, score = 400 // 8b1d???????? | // 8d85a8feffff | add esp, 0xc // 50 | lea eax, [ebp - 0x24] // ffd3 | push eax // 85c0 | mov esi, eax $sequence_15 = { ff15???????? 85c0 7426 8b400c } // n = 4, score = 400 // ff15???????? | // 85c0 | jne 0xffffffeb // 7426 | push esi // 8b400c | dec esp $sequence_16 = { 8b45f8 8b4dfc 894820 8b55f8 83c208 } // n = 5, score = 200 // 8b45f8 | dec ecx // 8b4dfc | push ebx // 894820 | push ebx // 8b55f8 | push esi // 83c208 | cli $sequence_17 = { 488d15f8110100 41b810200100 488bcd e8???????? e9???????? 4533c9 4533c0 } // n = 7, score = 200 // 488d15f8110100 | dec eax // 41b810200100 | lea edx, [0x111f8] // 488bcd | inc ecx // e8???????? | // e9???????? | // 4533c9 | mov eax, 0x12010 // 4533c0 | dec eax $sequence_18 = { fa fa fa fa fa fa } // n = 6, score = 200 // fa | cli // fa | cli // fa | cli // fa | cli // fa | cli // fa | cli $sequence_19 = { 53 53 56 43 } // n = 4, score = 200 // 53 | push ebx // 53 | push ebx // 56 | push esi // 43 | inc ebx $sequence_20 = { 4883ec20 8bd9 488d0d950c0100 ff15???????? 4885c0 7419 } // n = 6, score = 200 // 4883ec20 | mov ecx, ebp // 8bd9 | inc ebp // 488d0d950c0100 | xor ecx, ecx // ff15???????? | // 4885c0 | inc ebp // 7419 | xor eax, eax $sequence_21 = { 8b55fc c7422400000000 8b45fc 83c008 50 } // n = 5, score = 200 // 8b55fc | push 0 // c7422400000000 | push eax // 8b45fc | add esp, 0x38 // 83c008 | inc eax // 50 | pop edi $sequence_22 = { 4c8d056c120100 498bd4 488bcd e8???????? 85c0 } // n = 5, score = 200 // 4c8d056c120100 | dec eax // 498bd4 | sub esp, 0x20 // 488bcd | mov ebx, ecx // e8???????? | // 85c0 | dec eax $sequence_23 = { ff15???????? 8b4df4 8b5124 83c201 8b45f4 895024 } // n = 6, score = 200 // ff15???????? | // 8b4df4 | cli // 8b5124 | cli // 83c201 | cli // 8b45f4 | cli // 895024 | cli $sequence_24 = { 6828010000 8d85ccfeffff 6a00 50 } // n = 4, score = 200 // 6828010000 | cli // 8d85ccfeffff | cli // 6a00 | cli // 50 | cli $sequence_25 = { 7370 696465726167656e 742e 657865 } // n = 4, score = 200 // 7370 | jae 0x72 // 696465726167656e | imul esp, dword ptr [ebp + 0x72], 0x6e656761 // 742e | je 0x30 // 657865 | js 0x68 $sequence_26 = { 8b85c4f4ffff 83e802 898558ffffff 8b8dc4f4ffff 6bc903 894d9c } // n = 6, score = 200 // 8b85c4f4ffff | imul esp, dword ptr [ebp + 0x72], 0x6e656761 // 83e802 | je 0x30 // 898558ffffff | js 0x6a // 8b8dc4f4ffff | outsb dx, byte ptr [esi] // 6bc903 | insd dword ptr es:[edi], dx // 894d9c | outsb dx, byte ptr gs:[esi] $sequence_27 = { 4c8d0502130100 8bd7 498bcd e8???????? } // n = 4, score = 200 // 4c8d0502130100 | inc ecx // 8bd7 | mov edx, esp // 498bcd | xor ecx, ecx // e8???????? | $sequence_28 = { 636373 7673 6873742e65 7865 } // n = 4, score = 200 // 636373 | arpl word ptr [ebx + 0x73], sp // 7673 | jbe 0x75 // 6873742e65 | push 0x652e7473 // 7865 | js 0x67 $sequence_29 = { 4885c0 7419 488d15730c0100 488bc8 ff15???????? } // n = 5, score = 200 // 4885c0 | inc ecx // 7419 | mov eax, 0x12010 // 488d15730c0100 | dec eax // 488bc8 | mov ecx, ebp // ff15???????? | $sequence_30 = { e8???????? 85c0 751a 488d15f8110100 41b810200100 } // n = 5, score = 200 // e8???????? | // 85c0 | test eax, eax // 751a | je 0x25 // 488d15f8110100 | inc ecx // 41b810200100 | mov esp, 0x314 $sequence_31 = { 0f8404010000 8b4508 8b8804010000 83c103 8b5508 } // n = 5, score = 200 // 0f8404010000 | je 4 // 8b4508 | push ebx // 8b8804010000 | push ebx // 83c103 | push esi // 8b5508 | inc ebx $sequence_32 = { 5d c3 8b04cdf4314100 5d c3 0544ffffff 6a0e } // n = 7, score = 200 // 5d | pop esi // c3 | pop ebp // 8b04cdf4314100 | push 0 // 5d | call dword ptr [ebp - 0x24] // c3 | test eax, eax // 0544ffffff | je 0x1a1 // 6a0e | mov eax, dword ptr [esi + 0x10] $sequence_33 = { 726f 6e 6d 656e 7400 } // n = 5, score = 200 // 726f | jb 0x71 // 6e | outsb dx, byte ptr [esi] // 6d | insd dword ptr es:[edi], dx // 656e | outsb dx, byte ptr gs:[esi] // 7400 | je 2 $sequence_34 = { ff15???????? 418d7c24e7 85c0 752a 4c8d0502130100 8bd7 } // n = 6, score = 200 // ff15???????? | // 418d7c24e7 | dec esp // 85c0 | lea eax, [0x11302] // 752a | mov edx, edi // 4c8d0502130100 | dec ecx // 8bd7 | mov ecx, ebp $sequence_35 = { 898a04010000 c7857cffffff00000000 eb0f 8b857cffffff } // n = 4, score = 200 // 898a04010000 | outsb dx, byte ptr gs:[esi] // c7857cffffff00000000 | je 0xa // eb0f | push 0x128 // 8b857cffffff | lea eax, [ebp - 0x134] $sequence_36 = { 8b4df8 83c101 894df8 837df81a 0f8d67010000 } // n = 5, score = 200 // 8b4df8 | outsb dx, byte ptr [esi] // 83c101 | jbe 0x6b // 894df8 | jb 0x73 // 837df81a | outsb dx, byte ptr [esi] // 0f8d67010000 | insd dword ptr es:[edi], dx $sequence_37 = { 41bc14030000 4c8d0574130100 488bcd 418bd4 e8???????? 33c9 85c0 } // n = 7, score = 200 // 41bc14030000 | dec eax // 4c8d0574130100 | sub esp, 0x20 // 488bcd | mov ebx, ecx // 418bd4 | dec eax // e8???????? | // 33c9 | lea ecx, [0x10c95] // 85c0 | dec eax $sequence_38 = { 50 68???????? 8935???????? ff15???????? 8d85d4f4ffff 50 } // n = 6, score = 100 // 50 | mov ecx, dword ptr [ebp - 8] // 68???????? | // 8935???????? | // ff15???????? | // 8d85d4f4ffff | add ecx, 1 // 50 | mov dword ptr [ebp - 8], ecx $sequence_39 = { 8d85d4f4ffff 50 ff15???????? 6804010000 8d85f0feffff } // n = 5, score = 100 // 8d85d4f4ffff | mov ecx, dword ptr [eax + 0x104] // 50 | add ecx, 3 // ff15???????? | // 6804010000 | mov edx, dword ptr [ebp + 8] // 8d85f0feffff | mov eax, dword ptr [ebp - 8] $sequence_40 = { 83c438 40 5f 5e 5d } // n = 5, score = 100 // 83c438 | arpl word ptr [ebx + 0x73], sp // 40 | jbe 0x78 // 5f | push 0x652e7473 // 5e | js 0x6c // 5d | jb 0x71 $sequence_41 = { 83c408 8d95f0feffff 8bce e8???????? 83c404 } // n = 5, score = 100 // 83c408 | mov ecx, dword ptr [ebp - 4] // 8d95f0feffff | mov dword ptr [eax + 0x20], ecx // 8bce | mov edx, dword ptr [ebp - 8] // e8???????? | // 83c404 | add edx, 8 $sequence_42 = { 7411 50 ff15???????? c705????????00000000 e8???????? 85c0 } // n = 6, score = 100 // 7411 | cmp dword ptr [ebp - 8], 0x1a // 50 | jge 0x174 // ff15???????? | // c705????????00000000 | // e8???????? | // 85c0 | mov dword ptr [edx + 0x104], ecx $sequence_43 = { 0f85a5000000 8d85b8feffff 50 ff15???????? 0fb785c4feffff 50 } // n = 6, score = 100 // 0f85a5000000 | mov ecx, dword ptr [ebp - 0xb3c] // 8d85b8feffff | imul ecx, ecx, 3 // 50 | mov dword ptr [ebp - 0x64], ecx // ff15???????? | // 0fb785c4feffff | je 0x10a // 50 | mov eax, dword ptr [ebp + 8] $sequence_44 = { 8b4f08 49 8b5710 e8???????? 41 } // n = 5, score = 100 // 8b4f08 | mov ecx, dword ptr [edi + 8] // 49 | dec ecx // 8b5710 | mov edx, dword ptr [edi + 0x10] // e8???????? | // 41 | inc ecx $sequence_45 = { ff15???????? 83c40c 8d45dc 50 ff15???????? 8bf0 85f6 } // n = 7, score = 100 // ff15???????? | // 83c40c | mov ecx, dword ptr [ebp - 0xc] // 8d45dc | mov edx, dword ptr [ecx + 0x24] // 50 | add edx, 1 // ff15???????? | // 8bf0 | mov eax, dword ptr [ebp - 0xc] // 85f6 | mov dword ptr [eax + 0x24], edx $sequence_46 = { 48 8d542450 c70238020000 ffd3 } // n = 4, score = 100 // 48 | dec eax // 8d542450 | lea edx, [esp + 0x50] // c70238020000 | mov dword ptr [edx], 0x238 // ffd3 | call ebx $sequence_47 = { a3???????? 33c0 5e 8b4dfc } // n = 4, score = 100 // a3???????? | // 33c0 | mov dword ptr [ebp - 0x84], 0 // 5e | jmp 0x1b // 8b4dfc | mov eax, dword ptr [ebp - 0x84] $sequence_48 = { 4c 89e1 03d0 e8???????? eb0b 4c } // n = 6, score = 100 // 4c | dec esp // 89e1 | mov ecx, esp // 03d0 | add edx, eax // e8???????? | // eb0b | jmp 0xd // 4c | dec esp $sequence_49 = { 6a00 ff55dc 85c0 0f8496010000 } // n = 4, score = 100 // 6a00 | outsb dx, byte ptr [esi] // ff55dc | insd dword ptr es:[edi], dx // 85c0 | outsb dx, byte ptr gs:[esi] // 0f8496010000 | je 5 condition: 7 of them and filesize < 417792 }
import "pe" rule win_microcin_w0 { meta: description = "Malware sample mentioned in Microcin technical report by Kaspersky" author = "Florian Roth" reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf" date = "2017-09-26" hash = "49816eefcd341d7a9c1715e1f89143862d4775ba4f9730397a1e8529f5f5e200" hash = "a73f8f76a30ad5ab03dd503cc63de3a150e6ab75440c1060d75addceb4270f46" hash = "9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin" malpedia_version = "20170413" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "e Class Descriptor at (" fullword ascii $s2 = ".?AVCAntiAntiAppleFrameRealClass@@" fullword ascii $s3 = ".?AVCAntiAntiAppleFrameBaseClass@@" fullword ascii $s4 = ".?AVCAppleBinRealClass@@" fullword ascii $s5 = ".?AVCAppleBinBaseClass@@" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and (4 of them or pe.imphash() == "897077ca318eaf629cfe74569f10e023") }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
