SYMBOLCOMMON_NAMEaka. SYNONYMS
win.microcin (Back to overview)

Microcin


There is no description at this point.

References
2021-03-10ESET ResearchThomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020-06-19Kaspersky LabsDenis Legezo
@online{legezo:20200619:microcin:c832dc1, author = {Denis Legezo}, title = {{Microcin is here}}, date = {2020-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/microcin-is-here/97353}, language = {English}, urldate = {2022-07-25} } Microcin is here
Microcin Vicious Panda
2020-06-19Kaspersky LabsDenis Legezo
@online{legezo:20200619:microcin:122f2ca, author = {Denis Legezo}, title = {{Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock}}, date = {2020-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/microcin-is-here/97353/}, language = {English}, urldate = {2020-06-21} } Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock
Microcin
2020-05-18Github (dlegezo)Denis Legezo
@online{legezo:20200518:microcin:b3147b6, author = {Denis Legezo}, title = {{Microcin Decryptor}}, date = {2020-05-18}, organization = {Github (dlegezo)}, url = {https://github.com/dlegezo/common}, language = {English}, urldate = {2020-05-19} } Microcin Decryptor
Microcin
2020-05-14Avast DecodedLuigino Camastra
@online{camastra:20200514:planted:7b94cc6, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia}, language = {English}, urldate = {2022-07-25} } APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Ghost RAT Microcin MimiKatz Vicious Panda
2020-05-14ESET ResearchPeter Kálnai
@online{klnai:20200514:mikroceen:3e541ad, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia}, language = {English}, urldate = {2022-07-25} } Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
Microcin Vicious Panda
2020-05-14Avast DecodedLuigino Camastra
@online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Microcin
2020-05-14ESET ResearchPeter Kálnai
@online{klnai:20200514:mikroceen:b259a8c, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/}, language = {English}, urldate = {2020-05-14} } Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
BYEBY Microcin
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2017-11-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@techreport{berdnikov:20171125:microcin:69e0ae0, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE}}, date = {2017-11-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf}, language = {English}, urldate = {2020-04-06} } MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE
Microcin Vicious Panda
2017-09-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@online{berdnikov:20170925:simple:fced582, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636}, language = {English}, urldate = {2022-08-26} } A simple example of a complex cyberattack
Microcin Vicious Panda
2017-09-25Kaspersky LabsVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin
@online{berdnikov:20170925:simple:62b80bb, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/}, language = {English}, urldate = {2019-12-20} } A simple example of a complex cyberattack
Microcin
Yara Rules
[TLP:WHITE] win_microcin_auto (20220808 | Detects win.microcin.)
rule win_microcin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.microcin."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b05???????? 4833c4 488985b0010000 488bd9 488d4c2458 }
            // n = 5, score = 400
            //   488b05????????       |                     
            //   4833c4               | mov                 esi, eax
            //   488985b0010000       | lea                 eax, [ebp - 0x318]
            //   488bd9               | push                0
            //   488d4c2458           | push                eax

        $sequence_1 = { ff15???????? 4863c8 807c0c5f5c 7413 488d4c2460 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   4863c8               | add                 esp, 0xc
            //   807c0c5f5c           | lea                 eax, [esp + 0x58]
            //   7413                 | push                eax
            //   488d4c2460           | push                0x30

        $sequence_2 = { 50 6805100000 68ffff0000 56 8b35???????? ffd6 }
            // n = 6, score = 400
            //   50                   | mov                 byte ptr [ebp + ecx + 0x280], 0x33
            //   6805100000           | dec                 eax
            //   68ffff0000           | lea                 ecx, [ebp + 0x280]
            //   56                   | dec                 eax
            //   8b35????????         |                     
            //   ffd6                 | lea                 ecx, [ebp - 0x70]

        $sequence_3 = { 83c40c 8d85f8feffff 6804010000 50 ff15???????? 8d85f8feffff }
            // n = 6, score = 400
            //   83c40c               | dec                 ecx
            //   8d85f8feffff         | mov                 ecx, dword ptr [esi]
            //   6804010000           | inc                 esp
            //   50                   | mov                 eax, edi
            //   ff15????????         |                     
            //   8d85f8feffff         | dec                 eax

        $sequence_4 = { e8???????? 488d4de0 e9???????? 488d542430 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   488d4de0             | lea                 eax, [esp + 0x10]
            //   e9????????           |                     
            //   488d542430           | sar                 esi, 1

        $sequence_5 = { 7422 03d8 3bdf 741c 498b0e 448bc7 4863d3 }
            // n = 7, score = 400
            //   7422                 | push                0
            //   03d8                 | push                eax
            //   3bdf                 | lea                 eax, [esp + 0x10]
            //   741c                 | push                eax
            //   498b0e               | push                esi
            //   448bc7               | push                0x10000003
            //   4863d3               | push                edi

        $sequence_6 = { 85c0 7e18 80bc35a8feffff3a 741f 8d85a8feffff 46 50 }
            // n = 7, score = 400
            //   85c0                 | arpl                bx, dx
            //   7e18                 | dec                 eax
            //   80bc35a8feffff3a     | mov                 ecx, ebx
            //   741f                 | dec                 eax
            //   8d85a8feffff         | mov                 ecx, dword ptr [ebp + 0x1b0]
            //   46                   | dec                 eax
            //   50                   | xor                 ecx, esp

        $sequence_7 = { 897e04 5b 5f 5e 5d c20400 55 }
            // n = 7, score = 400
            //   897e04               | dec                 eax
            //   5b                   | lea                 ecx, [ebp + 0xa0]
            //   5f                   | mov                 byte ptr [ebp + ecx + 0x280], 0x34
            //   5e                   | dec                 eax
            //   5d                   | lea                 ecx, [ebp + 0x280]
            //   c20400               | dec                 eax
            //   55                   | arpl                ax, cx

        $sequence_8 = { 8b1d???????? 8d85a8feffff 50 ffd3 }
            // n = 4, score = 400
            //   8b1d????????         |                     
            //   8d85a8feffff         | test                eax, eax
            //   50                   | jle                 0x1e
            //   ffd3                 | cmp                 byte ptr [ebp + esi - 0x158], 0x3a

        $sequence_9 = { 8d45ac 50 6801000080 ff15???????? 85c0 }
            // n = 5, score = 400
            //   8d45ac               | mov                 dword ptr [esp + 0x48], 0x41457349
            //   50                   | xor                 edx, edx
            //   6801000080           | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 ebx, eax

        $sequence_10 = { 33d2 488bd8 ff15???????? 488d8da0000000 }
            // n = 4, score = 400
            //   33d2                 | xor                 eax, esp
            //   488bd8               | mov                 dword ptr [esp + 0x14], eax
            //   ff15????????         |                     
            //   488d8da0000000       | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_11 = { 7515 c74424484c773373 c744244c31674d5a e9???????? c744244849734541 }
            // n = 5, score = 400
            //   7515                 | push                eax
            //   c74424484c773373     | call                ebx
            //   c744244c31674d5a     | and                 esp, 0xfffffff8
            //   e9????????           |                     
            //   c744244849734541     | sub                 esp, 0x18

        $sequence_12 = { 4863c8 c6840d8002000077 488d8d80020000 ff15???????? }
            // n = 4, score = 400
            //   4863c8               | push                ecx
            //   c6840d8002000077     | push                esi
            //   488d8d80020000       | push                0x208
            //   ff15????????         |                     

        $sequence_13 = { 488bcb ff15???????? 488b8db0010000 4833cc }
            // n = 4, score = 400
            //   488bcb               | ret                 0x10
            //   ff15????????         |                     
            //   488b8db0010000       | push                edi
            //   4833cc               | push                dword ptr [ebp + 0x10]

        $sequence_14 = { 50 ffd3 85c0 7e18 80bc35a8feffff3a }
            // n = 5, score = 400
            //   50                   | dec                 eax
            //   ffd3                 | arpl                ax, cx
            //   85c0                 | mov                 byte ptr [ebp + ecx + 0x280], 0x77
            //   7e18                 | dec                 eax
            //   80bc35a8feffff3a     | lea                 ecx, [ebp + 0x280]

        $sequence_15 = { ff15???????? 85c0 7426 8b400c }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   85c0                 | je                  0x2b
            //   7426                 | push                eax
            //   8b400c               | push                esi

        $sequence_16 = { 4889742420 e8???????? cc 4c8d056c120100 }
            // n = 4, score = 200
            //   4889742420           | dec                 eax
            //   e8????????           |                     
            //   cc                   | sub                 esp, 0x20
            //   4c8d056c120100       | mov                 ebx, ecx

        $sequence_17 = { 6a00 8b4d14 51 68???????? }
            // n = 4, score = 200
            //   6a00                 | push                0
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   51                   | push                ecx
            //   68????????           |                     

        $sequence_18 = { 8bec 83ec10 56 57 c745f400000000 eb09 }
            // n = 6, score = 200
            //   8bec                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10
            //   56                   | push                esi
            //   57                   | push                edi
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0
            //   eb09                 | jmp                 0xb

        $sequence_19 = { 4c8d0502130100 8bd7 498bcd e8???????? 85c0 7415 4533c9 }
            // n = 7, score = 200
            //   4c8d0502130100       | lea                 edx, [0x111f8]
            //   8bd7                 | inc                 ecx
            //   498bcd               | mov                 eax, 0x12010
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   7415                 | mov                 ecx, ebp
            //   4533c9               | dec                 esp

        $sequence_20 = { 4883f83c 7647 498bcd e8???????? 4c8d05b7120100 }
            // n = 5, score = 200
            //   4883f83c             | jne                 0x1c
            //   7647                 | dec                 eax
            //   498bcd               | lea                 edx, [0x111f8]
            //   e8????????           |                     
            //   4c8d05b7120100       | inc                 ecx

        $sequence_21 = { 6828010000 8d85ccfeffff 6a00 50 }
            // n = 4, score = 200
            //   6828010000           | push                0x128
            //   8d85ccfeffff         | lea                 eax, [ebp - 0x134]
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_22 = { 8b45f4 0345f8 83f831 0f858e000000 }
            // n = 4, score = 200
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   0345f8               | add                 eax, dword ptr [ebp - 8]
            //   83f831               | cmp                 eax, 0x31
            //   0f858e000000         | jne                 0x94

        $sequence_23 = { 636373 7673 6873742e65 7865 }
            // n = 4, score = 200
            //   636373               | arpl                word ptr [ebx + 0x73], sp
            //   7673                 | jbe                 0x75
            //   6873742e65           | push                0x652e7473
            //   7865                 | js                  0x67

        $sequence_24 = { 418d5001 e9???????? 4053 4883ec20 8bd9 }
            // n = 5, score = 200
            //   418d5001             | inc                 ecx
            //   e9????????           |                     
            //   4053                 | lea                 edx, [eax + 1]
            //   4883ec20             | inc                 eax
            //   8bd9                 | push                ebx

        $sequence_25 = { eb0e 8b550c 0fb602 83c001 8b4d0c }
            // n = 5, score = 200
            //   eb0e                 | jmp                 0x10
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   0fb602               | movzx               eax, byte ptr [edx]
            //   83c001               | add                 eax, 1
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_26 = { 7370 696465726167656e 742e 657865 }
            // n = 4, score = 200
            //   7370                 | jae                 0x72
            //   696465726167656e     | imul                esp, dword ptr [ebp + 0x72], 0x6e656761
            //   742e                 | je                  0x30
            //   657865               | js                  0x68

        $sequence_27 = { 418d7c24e7 85c0 752a 4c8d0502130100 8bd7 498bcd }
            // n = 6, score = 200
            //   418d7c24e7           | inc                 eax
            //   85c0                 | push                ebx
            //   752a                 | dec                 eax
            //   4c8d0502130100       | sub                 esp, 0x20
            //   8bd7                 | mov                 ebx, ecx
            //   498bcd               | test                eax, eax

        $sequence_28 = { 8b4df0 890c85003c4100 eb14 8b5514 }
            // n = 4, score = 200
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   890c85003c4100       | mov                 dword ptr [eax*4 + 0x413c00], ecx
            //   eb14                 | jmp                 0x16
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]

        $sequence_29 = { 8945f8 817df8c8000000 7d44 c745f400000000 }
            // n = 4, score = 200
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   817df8c8000000       | cmp                 dword ptr [ebp - 8], 0xc8
            //   7d44                 | jge                 0x46
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0

        $sequence_30 = { 6a00 8b550c 52 68???????? 6a00 6a00 ff15???????? }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   52                   | push                edx
            //   68????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_31 = { 85c0 751a 488d15f8110100 41b810200100 }
            // n = 4, score = 200
            //   85c0                 | inc                 ebp
            //   751a                 | xor                 eax, eax
            //   488d15f8110100       | inc                 ecx
            //   41b810200100         | lea                 edx, [eax + 1]

        $sequence_32 = { 49 53 53 56 43 }
            // n = 5, score = 200
            //   49                   | dec                 ecx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   56                   | push                esi
            //   43                   | inc                 ebx

        $sequence_33 = { 488d15f8110100 41b810200100 488bcd e8???????? }
            // n = 4, score = 200
            //   488d15f8110100       | test                eax, eax
            //   41b810200100         | jne                 0x1e
            //   488bcd               | dec                 eax
            //   e8????????           |                     

        $sequence_34 = { 6e 7669 726f 6e 6d 656e 7400 }
            // n = 7, score = 200
            //   6e                   | outsb               dx, byte ptr [esi]
            //   7669                 | jbe                 0x6b
            //   726f                 | jb                  0x71
            //   6e                   | outsb               dx, byte ptr [esi]
            //   6d                   | insd                dword ptr es:[edi], dx
            //   656e                 | outsb               dx, byte ptr gs:[esi]
            //   7400                 | je                  2

        $sequence_35 = { fa fa fa fa fa fa }
            // n = 6, score = 200
            //   fa                   | cli                 
            //   fa                   | cli                 
            //   fa                   | cli                 
            //   fa                   | cli                 
            //   fa                   | cli                 
            //   fa                   | cli                 

        $sequence_36 = { 898c9578feffff 8b857cffffff 8b4c8584 83e901 8b957cffffff 894c9584 }
            // n = 6, score = 200
            //   898c9578feffff       | mov                 dword ptr [ebp + edx*4 - 0x188], ecx
            //   8b857cffffff         | mov                 eax, dword ptr [ebp - 0x84]
            //   8b4c8584             | mov                 ecx, dword ptr [ebp + eax*4 - 0x7c]
            //   83e901               | sub                 ecx, 1
            //   8b957cffffff         | mov                 edx, dword ptr [ebp - 0x84]
            //   894c9584             | mov                 dword ptr [ebp + edx*4 - 0x7c], ecx

        $sequence_37 = { e8???????? 4c8d05b7120100 41b903000000 488d4c45bc }
            // n = 4, score = 200
            //   e8????????           |                     
            //   4c8d05b7120100       | dec                 esp
            //   41b903000000         | lea                 eax, [0x11302]
            //   488d4c45bc           | mov                 edx, edi

        $sequence_38 = { 83e4f8 83ec18 a1???????? 33c4 89442414 8b4d0c 56 }
            // n = 7, score = 100
            //   83e4f8               | jge                 0x4d
            //   83ec18               | mov                 dword ptr [ebp - 0xc], 0
            //   a1????????           |                     
            //   33c4                 | mov                 byte ptr [ebp - 9], dl
            //   89442414             | lea                 eax, [ebp - 0xc]
            //   8b4d0c               | push                eax
            //   56                   | mov                 dword ptr [ebp - 0x18], eax

        $sequence_39 = { ff743810 ff45dc 8d85c0fdffff 50 }
            // n = 4, score = 100
            //   ff743810             | push                dword ptr [eax + edi + 0x10]
            //   ff45dc               | inc                 dword ptr [ebp - 0x24]
            //   8d85c0fdffff         | lea                 eax, [ebp - 0x240]
            //   50                   | push                eax

        $sequence_40 = { d1fe 6a55 ff34f5e0a24000 ff7508 }
            // n = 4, score = 100
            //   d1fe                 | push                0
            //   6a55                 | mov                 edx, dword ptr [ebp + 0xc]
            //   ff34f5e0a24000       | push                edx
            //   ff7508               | push                0

        $sequence_41 = { c7470405000000 ff7614 e8???????? 83c414 5b 85c0 }
            // n = 6, score = 100
            //   c7470405000000       | mov                 dword ptr [edi + 4], 5
            //   ff7614               | push                dword ptr [esi + 0x14]
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   5b                   | pop                 ebx
            //   85c0                 | test                eax, eax

        $sequence_42 = { 56 ff15???????? 6808020000 8bf0 8d85e8fcffff 6a00 50 }
            // n = 7, score = 100
            //   56                   | jne                 0x9a
            //   ff15????????         |                     
            //   6808020000           | push                0
            //   8bf0                 | mov                 ecx, dword ptr [ebp + 0x14]
            //   8d85e8fcffff         | push                ecx
            //   6a00                 | push                0
            //   50                   | mov                 edx, dword ptr [ebp + 0xc]

        $sequence_43 = { 8d442410 50 56 6803000010 57 }
            // n = 5, score = 100
            //   8d442410             | mov                 dword ptr [ebp - 0xc], 0
            //   50                   | jmp                 0x14
            //   56                   | mov                 ecx, dword ptr [ebp - 0x10]
            //   6803000010           | mov                 dword ptr [eax*4 + 0x413c00], ecx
            //   57                   | jmp                 0x16

        $sequence_44 = { 85c0 7420 83f8ff 7412 8d44243c 50 ffd3 }
            // n = 7, score = 100
            //   85c0                 | jmp                 0x10
            //   7420                 | mov                 edx, dword ptr [ebp + 0xc]
            //   83f8ff               | movzx               eax, byte ptr [edx]
            //   7412                 | add                 eax, 1
            //   8d44243c             | mov                 ecx, dword ptr [ebp + 0xc]
            //   50                   | mov                 dword ptr [ebp - 8], eax
            //   ffd3                 | cmp                 dword ptr [ebp - 8], 0xc8

        $sequence_45 = { 83c40c 8d442458 68???????? 50 ff15???????? 6a30 8d442410 }
            // n = 7, score = 100
            //   83c40c               | push                edx
            //   8d442458             | push                0
            //   68????????           |                     
            //   50                   | push                0
            //   ff15????????         |                     
            //   6a30                 | mov                 ecx, dword ptr [ebp + 8]
            //   8d442410             | push                ecx

        $sequence_46 = { 45 33db 89c7 49 }
            // n = 4, score = 100
            //   45                   | inc                 ebp
            //   33db                 | xor                 ebx, ebx
            //   89c7                 | mov                 edi, eax
            //   49                   | dec                 ecx

        $sequence_47 = { 49 8b4d28 e8???????? 85c0 741b }
            // n = 5, score = 100
            //   49                   | dec                 ecx
            //   8b4d28               | mov                 ecx, dword ptr [ebp + 0x28]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   741b                 | je                  0x1d

        $sequence_48 = { c21000 57 ff7510 51 }
            // n = 4, score = 100
            //   c21000               | mov                 edx, dword ptr [ebp + 0x14]
            //   57                   | mov                 eax, dword ptr [ebp - 0xc]
            //   ff7510               | add                 eax, dword ptr [ebp - 8]
            //   51                   | cmp                 eax, 0x31

        $sequence_49 = { 44 2bc5 44 017950 4d 8b4e18 45 }
            // n = 7, score = 100
            //   44                   | inc                 esp
            //   2bc5                 | sub                 eax, ebp
            //   44                   | inc                 esp
            //   017950               | add                 dword ptr [ecx + 0x50], edi
            //   4d                   | dec                 ebp
            //   8b4e18               | mov                 ecx, dword ptr [esi + 0x18]
            //   45                   | inc                 ebp

    condition:
        7 of them and filesize < 417792
}
[TLP:WHITE] win_microcin_w0   (20170413 | Malware sample mentioned in Microcin technical report by Kaspersky)
import "pe"

rule win_microcin_w0 {
    meta:
        description = "Malware sample mentioned in Microcin technical report by Kaspersky"
        author = "Florian Roth"
        reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf"
        date = "2017-09-26"
        hash = "49816eefcd341d7a9c1715e1f89143862d4775ba4f9730397a1e8529f5f5e200"
        hash = "a73f8f76a30ad5ab03dd503cc63de3a150e6ab75440c1060d75addceb4270f46"
        hash = "9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin"
        malpedia_version = "20170413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "e Class Descriptor at (" fullword ascii
        $s2 = ".?AVCAntiAntiAppleFrameRealClass@@" fullword ascii
        $s3 = ".?AVCAntiAntiAppleFrameBaseClass@@" fullword ascii
        $s4 = ".?AVCAppleBinRealClass@@" fullword ascii
        $s5 = ".?AVCAppleBinBaseClass@@" fullword ascii
    condition:
        uint16(0) == 0x5a4d and filesize < 300KB and (4 of them or pe.imphash() == "897077ca318eaf629cfe74569f10e023")
}
Download all Yara Rules