SYMBOLCOMMON_NAMEaka. SYNONYMS
win.microcin (Back to overview)

Microcin

There is no description at this point.

References
2021-03-10ESET ResearchThomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020-06-19Kaspersky LabsDenis Legezo
@online{legezo:20200619:microcin:122f2ca, author = {Denis Legezo}, title = {{Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock}}, date = {2020-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/microcin-is-here/97353/}, language = {English}, urldate = {2020-06-21} } Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock
Microcin
2020-05-18Github (dlegezo)Denis Legezo
@online{legezo:20200518:microcin:b3147b6, author = {Denis Legezo}, title = {{Microcin Decryptor}}, date = {2020-05-18}, organization = {Github (dlegezo)}, url = {https://github.com/dlegezo/common}, language = {English}, urldate = {2020-05-19} } Microcin Decryptor
Microcin
2020-05-14ESET ResearchPeter Kálnai
@online{klnai:20200514:mikroceen:b259a8c, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/}, language = {English}, urldate = {2020-05-14} } Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
BYEBY Microcin Microcin
2020-05-14Avast DecodedLuigino Camastra
@online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Microcin Microcin
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2017-11-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@techreport{berdnikov:20171125:microcin:69e0ae0, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE}}, date = {2017-11-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf}, language = {English}, urldate = {2020-04-06} } MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE
Microcin Microcin
2017-09-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@online{berdnikov:20170925:simple:62b80bb, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/}, language = {English}, urldate = {2019-12-20} } A simple example of a complex cyberattack
Microcin Microcin
Yara Rules
[TLP:WHITE] win_microcin_auto (20210616 | Detects win.microcin.)
rule win_microcin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.microcin."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b1d???????? 8d85a8feffff 50 ffd3 }
            // n = 4, score = 400
            //   8b1d????????         |                     
            //   8d85a8feffff         | lea                 eax, dword ptr [ebp - 0x158]
            //   50                   | push                eax
            //   ffd3                 | call                ebx

        $sequence_1 = { 8d85f8feffff 6804010000 50 ff15???????? 8d85f8feffff }
            // n = 5, score = 400
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]

        $sequence_2 = { 4863c8 c6840d8002000068 488d8d80020000 ff15???????? 4863c8 c6840d8002000077 }
            // n = 6, score = 400
            //   4863c8               | xor                 ecx, esp
            //   c6840d8002000068     | dec                 eax
            //   488d8d80020000       | mov                 ebx, dword ptr [esp + 0x2d8]
            //   ff15????????         |                     
            //   4863c8               | dec                 eax
            //   c6840d8002000077     | add                 esp, 0x2c0

        $sequence_3 = { 8d45ac 50 6801000080 ff15???????? 85c0 }
            // n = 5, score = 400
            //   8d45ac               | lea                 eax, dword ptr [ebp - 0x54]
            //   50                   | push                eax
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_4 = { ffd3 85c0 7e18 80bc35a8feffff3a }
            // n = 4, score = 400
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   7e18                 | jle                 0x1a
            //   80bc35a8feffff3a     | cmp                 byte ptr [ebp + esi - 0x158], 0x3a

        $sequence_5 = { 68ffff0000 56 8b35???????? ffd6 }
            // n = 4, score = 400
            //   68ffff0000           | push                0xffff
            //   56                   | push                esi
            //   8b35????????         |                     
            //   ffd6                 | call                esi

        $sequence_6 = { 7422 03d8 3bdf 741c }
            // n = 4, score = 400
            //   7422                 | je                  0x24
            //   03d8                 | add                 ebx, eax
            //   3bdf                 | cmp                 ebx, edi
            //   741c                 | je                  0x1e

        $sequence_7 = { 7e18 80bc35a8feffff3a 741f 8d85a8feffff }
            // n = 4, score = 400
            //   7e18                 | jle                 0x1a
            //   80bc35a8feffff3a     | cmp                 byte ptr [ebp + esi - 0x158], 0x3a
            //   741f                 | je                  0x21
            //   8d85a8feffff         | lea                 eax, dword ptr [ebp - 0x158]

        $sequence_8 = { 488903 48894308 488b0d???????? ff15???????? 4885c0 742b 488b4018 }
            // n = 7, score = 400
            //   488903               | mov                 byte ptr [ebp + ecx + 0x280], 0x77
            //   48894308             | dec                 eax
            //   488b0d????????       |                     
            //   ff15????????         |                     
            //   4885c0               | add                 esp, 0x600
            //   742b                 | inc                 ecx
            //   488b4018             | pop                 edi

        $sequence_9 = { ff15???????? 85c0 7426 8b400c }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7426                 | je                  0x28
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]

        $sequence_10 = { ff15???????? 8b3d???????? 8d85e0feffff 50 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   8d85e0feffff         | lea                 eax, dword ptr [ebp - 0x120]
            //   50                   | push                eax

        $sequence_11 = { ff15???????? 85c0 740c 488bd7 488bcb }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   740c                 | lea                 ecx, dword ptr [ebp + 0x280]
            //   488bd7               | dec                 eax
            //   488bcb               | arpl                ax, cx

        $sequence_12 = { 4833cc e8???????? 488b9c24d8020000 4881c4c0020000 }
            // n = 4, score = 400
            //   4833cc               | dec                 eax
            //   e8????????           |                     
            //   488b9c24d8020000     | lea                 ecx, dword ptr [ebp + 0x280]
            //   4881c4c0020000       | dec                 eax

        $sequence_13 = { 488d8d80020000 ff15???????? 4863c8 c6840d8002000075 488d8d80020000 ff15???????? 4863c8 }
            // n = 7, score = 400
            //   488d8d80020000       | dec                 eax
            //   ff15????????         |                     
            //   4863c8               | lea                 ecx, dword ptr [ebp + 0x280]
            //   c6840d8002000075     | dec                 eax
            //   488d8d80020000       | arpl                ax, cx
            //   ff15????????         |                     
            //   4863c8               | mov                 byte ptr [ebp + ecx + 0x280], 0x75

        $sequence_14 = { e8???????? 488905???????? 33c9 488908 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   488905????????       |                     
            //   33c9                 | arpl                ax, cx
            //   488908               | dec                 eax

        $sequence_15 = { 4881c400060000 415f 415e 415c 5f 5e }
            // n = 6, score = 400
            //   4881c400060000       | xor                 ecx, ecx
            //   415f                 | dec                 eax
            //   415e                 | mov                 dword ptr [eax], ecx
            //   415c                 | dec                 eax
            //   5f                   | arpl                ax, cx
            //   5e                   | mov                 byte ptr [ebp + ecx + 0x280], 0x68

        $sequence_16 = { 0345f8 8b4df0 890c85003c4100 eb14 }
            // n = 4, score = 200
            //   0345f8               | push                esi
            //   8b4df0               | mov                 ecx, dword ptr [eax + 0xf0]
            //   890c85003c4100       | push                edi
            //   eb14                 | mov                 dword ptr [ebp - 4], ecx

        $sequence_17 = { 85c0 751a 488d15f8110100 41b810200100 488bcd e8???????? }
            // n = 6, score = 200
            //   85c0                 | mov                 ebx, ecx
            //   751a                 | dec                 eax
            //   488d15f8110100       | lea                 ecx, dword ptr [0x10c95]
            //   41b810200100         | dec                 eax
            //   488bcd               | test                eax, eax
            //   e8????????           |                     

        $sequence_18 = { 8b45e4 c700???????? c745fc6c6c0000 c745f46d737664 }
            // n = 4, score = 200
            //   8b45e4               | mov                 ecx, dword ptr [eax + 0xec]
            //   c700????????         |                     
            //   c745fc6c6c0000       | push                0x1c
            //   c745f46d737664       | mov                 dword ptr [ebp - 0xc], ecx

        $sequence_19 = { 52 ff15???????? 6a06 ff15???????? }
            // n = 4, score = 200
            //   52                   | lea                 esi, dword ptr [edi + 0x3c]
            //   ff15????????         |                     
            //   6a06                 | push                edi
            //   ff15????????         |                     

        $sequence_20 = { 8b4508 8945fc 8b4dfc 030d???????? 894dfc }
            // n = 5, score = 200
            //   8b4508               | cli                 
            //   8945fc               | cli                 
            //   8b4dfc               | jae                 0x72
            //   030d????????         |                     
            //   894dfc               | imul                esp, dword ptr [ebp + 0x72], 0x6e656761

        $sequence_21 = { e8???????? 4c8d05b7120100 41b903000000 488d4c45bc }
            // n = 4, score = 200
            //   e8????????           |                     
            //   4c8d05b7120100       | add                 eax, dword ptr [ebp - 0x2084]
            //   41b903000000         | mov                 ecx, dword ptr [ebp - 0x2088]
            //   488d4c45bc           | imul                ecx, ecx, 0x68

        $sequence_22 = { 4c8d0502130100 8bd7 498bcd e8???????? 85c0 7415 }
            // n = 6, score = 200
            //   4c8d0502130100       | mov                 eax, dword ptr [ebp - 0x1c]
            //   8bd7                 | mov                 dword ptr [ebp - 4], 0x6c6c
            //   498bcd               | mov                 dword ptr [ebp - 0xc], 0x6476736d
            //   e8????????           |                     
            //   85c0                 | sar                 eax, cl
            //   7415                 | and                 edx, eax

        $sequence_23 = { 49 53 53 56 43 }
            // n = 5, score = 200
            //   49                   | dec                 ecx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   56                   | push                esi
            //   43                   | inc                 ebx

        $sequence_24 = { d3f8 23d0 0fb6450c 0fb675ff }
            // n = 4, score = 200
            //   d3f8                 | mov                 eax, dword ptr [ebp + 8]
            //   23d0                 | mov                 dword ptr [ebp - 4], eax
            //   0fb6450c             | mov                 ecx, dword ptr [ebp - 4]
            //   0fb675ff             | mov                 dword ptr [ebp - 4], ecx

        $sequence_25 = { 83c101 898d7cdfffff 8b95c4f4ffff 83ea01 39957cdfffff 0f8dbd000000 }
            // n = 6, score = 200
            //   83c101               | je                  0x38
            //   898d7cdfffff         | js                  0x72
            //   8b95c4f4ffff         | push                ebx
            //   83ea01               | push                ebx
            //   39957cdfffff         | push                esi
            //   0f8dbd000000         | inc                 ebx

        $sequence_26 = { 726f 6e 6d 656e }
            // n = 4, score = 200
            //   726f                 | jb                  0x71
            //   6e                   | outsb               dx, byte ptr [esi]
            //   6d                   | insd                dword ptr es:[edi], dx
            //   656e                 | outsb               dx, byte ptr gs:[esi]

        $sequence_27 = { 89849578feffff ebc7 e9???????? 8b4d08 8b9104010000 52 ff15???????? }
            // n = 7, score = 200
            //   89849578feffff       | push                0x128
            //   ebc7                 | lea                 eax, dword ptr [ebp - 0x134]
            //   e9????????           |                     
            //   8b4d08               | push                0
            //   8b9104010000         | push                eax
            //   52                   | mov                 edi, dword ptr [ebp + 8]
            //   ff15????????         |                     

        $sequence_28 = { 4c8d0574130100 488bcd 418bd4 e8???????? 33c9 85c0 }
            // n = 6, score = 200
            //   4c8d0574130100       | mov                 edx, edi
            //   488bcd               | dec                 ecx
            //   418bd4               | mov                 ecx, ebp
            //   e8????????           |                     
            //   33c9                 | dec                 eax
            //   85c0                 | sub                 esp, 0x20

        $sequence_29 = { 636373 7673 6873742e65 7865 }
            // n = 4, score = 200
            //   636373               | arpl                word ptr [ebx + 0x73], sp
            //   7673                 | jbe                 0x75
            //   6873742e65           | push                0x652e7473
            //   7865                 | js                  0x67

        $sequence_30 = { e8???????? cc 4c8d056c120100 498bd4 488bcd }
            // n = 5, score = 200
            //   e8????????           |                     
            //   cc                   | test                eax, eax
            //   4c8d056c120100       | jne                 0x2e
            //   498bd4               | dec                 esp
            //   488bcd               | lea                 eax, dword ptr [0x11302]

        $sequence_31 = { 6828010000 8d85ccfeffff 6a00 50 }
            // n = 4, score = 200
            //   6828010000           | pop                 edi
            //   8d85ccfeffff         | pop                 esi
            //   6a00                 | test                eax, eax
            //   50                   | je                  0xe

        $sequence_32 = { 6e 7669 726f 6e }
            // n = 4, score = 200
            //   6e                   | outsb               dx, byte ptr [esi]
            //   7669                 | jbe                 0x6b
            //   726f                 | jb                  0x71
            //   6e                   | outsb               dx, byte ptr [esi]

        $sequence_33 = { fa fa fa fa fa fa }
            // n = 6, score = 200
            //   fa                   | cli                 
            //   fa                   | cli                 
            //   fa                   | cli                 
            //   fa                   | cli                 
            //   fa                   | cli                 
            //   fa                   | cli                 

        $sequence_34 = { 4c8bc3 498bd4 488bcd e8???????? 85c0 751a 488d15f8110100 }
            // n = 7, score = 200
            //   4c8bc3               | push                edx
            //   498bd4               | push                6
            //   488bcd               | add                 eax, dword ptr [ebp - 8]
            //   e8????????           |                     
            //   85c0                 | mov                 ecx, dword ptr [ebp - 0x10]
            //   751a                 | mov                 dword ptr [eax*4 + 0x413c00], ecx
            //   488d15f8110100       | jmp                 0x1d

        $sequence_35 = { 0f8dbd000000 8b8578dfffff 03857cdfffff 8b8d78dfffff 6bc968 }
            // n = 5, score = 200
            //   0f8dbd000000         | add                 ecx, 1
            //   8b8578dfffff         | mov                 dword ptr [ebp - 0x2084], ecx
            //   03857cdfffff         | mov                 edx, dword ptr [ebp - 0xb3c]
            //   8b8d78dfffff         | sub                 edx, 1
            //   6bc968               | cmp                 dword ptr [ebp - 0x2084], edx

        $sequence_36 = { 85c0 752a 4c8d0502130100 8bd7 498bcd }
            // n = 5, score = 200
            //   85c0                 | mov                 ecx, ebp
            //   752a                 | test                eax, eax
            //   4c8d0502130100       | jne                 0x21
            //   8bd7                 | dec                 eax
            //   498bcd               | lea                 edx, dword ptr [0x111f8]

        $sequence_37 = { 7370 696465726167656e 742e 657865 }
            // n = 4, score = 200
            //   7370                 | jae                 0x72
            //   696465726167656e     | imul                esp, dword ptr [ebp + 0x72], 0x6e656761
            //   742e                 | je                  0x30
            //   657865               | js                  0x68

        $sequence_38 = { 4883ec20 8bd9 488d0d950c0100 ff15???????? 4885c0 7419 488d15730c0100 }
            // n = 7, score = 200
            //   4883ec20             | lea                 eax, dword ptr [eax*2 + 0x413e64]
            //   8bd9                 | dec                 esp
            //   488d0d950c0100       | mov                 eax, ebx
            //   ff15????????         |                     
            //   4885c0               | dec                 ecx
            //   7419                 | mov                 edx, esp
            //   488d15730c0100       | dec                 eax

        $sequence_39 = { 8d85f0feffff 50 ffb59cfcffff ff15???????? }
            // n = 4, score = 100
            //   8d85f0feffff         | test                eax, eax
            //   50                   | je                  0x34
            //   ffb59cfcffff         | dec                 eax
            //   ff15????????         |                     

        $sequence_40 = { 50 660f7f45d0 660fd645e0 c745e800000000 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   660f7f45d0           | push                eax
            //   660fd645e0           | add                 esp, 0xc
            //   c745e800000000       | lea                 eax, dword ptr [ebp - 0x134]

        $sequence_41 = { 50 e8???????? 83c40c 8d85ccfeffff 50 56 }
            // n = 6, score = 100
            //   50                   | dec                 eax
            //   e8????????           |                     
            //   83c40c               | mov                 edx, edi
            //   8d85ccfeffff         | dec                 eax
            //   50                   | mov                 ecx, ebx
            //   56                   | dec                 eax

        $sequence_42 = { 8b7d08 8d773c 57 56 }
            // n = 4, score = 100
            //   8b7d08               | outsb               dx, byte ptr [esi]
            //   8d773c               | insd                dword ptr es:[edi], dx
            //   57                   | jbe                 0x6b
            //   56                   | jb                  0x71

        $sequence_43 = { c3 6a08 68???????? e8???????? 8b7508 c7465cf8814000 }
            // n = 6, score = 100
            //   c3                   | mov                 dword ptr [ebx], eax
            //   6a08                 | dec                 eax
            //   68????????           |                     
            //   e8????????           |                     
            //   8b7508               | mov                 dword ptr [ebx + 8], eax
            //   c7465cf8814000       | dec                 eax

        $sequence_44 = { 0fb785bafeffff 50 0f57c0 8d45d0 68???????? 50 660f7f45d0 }
            // n = 7, score = 100
            //   0fb785bafeffff       | push                eax
            //   50                   | push                esi
            //   0f57c0               | ret                 
            //   8d45d0               | push                8
            //   68????????           |                     
            //   50                   | mov                 esi, dword ptr [ebp + 8]
            //   660f7f45d0           | mov                 dword ptr [esi + 0x5c], 0x4081f8

        $sequence_45 = { ebe8 8975e0 81fe00010000 7d10 8a841e19010000 8886a8d54000 46 }
            // n = 7, score = 100
            //   ebe8                 | mov                 eax, dword ptr [eax + 0x18]
            //   8975e0               | dec                 eax
            //   81fe00010000         | xor                 eax, esp
            //   7d10                 | dec                 eax
            //   8a841e19010000       | mov                 dword ptr [ebp + 0x4f0], eax
            //   8886a8d54000         | inc                 ebp
            //   46                   | xor                 eax, eax

        $sequence_46 = { 8d9548030000 41 ffd4 48 89f2 48 8d8d4c040000 }
            // n = 7, score = 100
            //   8d9548030000         | lea                 edx, dword ptr [ebp + 0x348]
            //   41                   | inc                 ecx
            //   ffd4                 | call                esp
            //   48                   | dec                 eax
            //   89f2                 | mov                 edx, esi
            //   48                   | dec                 eax
            //   8d8d4c040000         | lea                 ecx, dword ptr [ebp + 0x44c]

        $sequence_47 = { b888000000 48 034528 8b00 894504 b88c000000 48 }
            // n = 7, score = 100
            //   b888000000           | mov                 eax, 0x88
            //   48                   | dec                 eax
            //   034528               | add                 eax, dword ptr [ebp + 0x28]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   894504               | mov                 dword ptr [ebp + 4], eax
            //   b88c000000           | mov                 eax, 0x8c
            //   48                   | dec                 eax

        $sequence_48 = { e8???????? 83c40c 8d85c8feffff 68???????? 50 ff15???????? 8d85c8feffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | mov                 edi, edx
            //   8d85c8feffff         | push                0x128
            //   68????????           |                     
            //   50                   | lea                 eax, dword ptr [ebp - 0x134]
            //   ff15????????         |                     
            //   8d85c8feffff         | push                0

    condition:
        7 of them and filesize < 417792
}
[TLP:WHITE] win_microcin_w0   (20170413 | Malware sample mentioned in Microcin technical report by Kaspersky)
import "pe"

rule win_microcin_w0 {
    meta:
        description = "Malware sample mentioned in Microcin technical report by Kaspersky"
        author = "Florian Roth"
        reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
        date = "2017-09-26"
        hash = "49816eefcd341d7a9c1715e1f89143862d4775ba4f9730397a1e8529f5f5e200"
        hash = "a73f8f76a30ad5ab03dd503cc63de3a150e6ab75440c1060d75addceb4270f46"
        hash = "9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_version = "20170413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "e Class Descriptor at (" fullword ascii
        $s2 = ".?AVCAntiAntiAppleFrameRealClass@@" fullword ascii
        $s3 = ".?AVCAntiAntiAppleFrameBaseClass@@" fullword ascii
        $s4 = ".?AVCAppleBinRealClass@@" fullword ascii
        $s5 = ".?AVCAppleBinBaseClass@@" fullword ascii
    condition:
        uint16(0) == 0x5a4d and filesize < 300KB and (4 of them or pe.imphash() == "897077ca318eaf629cfe74569f10e023")
}
Download all Yara Rules