IoC for Microcin

Malware analysis and more technical information at https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/

Table of Contents

• Samples (SHA-256)
• Network indicators

Samples (SHA-256)

bbc5a9a49757abdbfcaca22f3b2a8b7e79f61c30d31812a0ccc316536eb58ca3 - sqllauncher.dll (VMProtected backdoor)
61e4c91803d0d495681400fb9053b434f4852fdad1a305bbcec45ee0b2926d6a - logon.dll (VMProtected backdoor)
d5c1e947d84791ac8e6218652372905ddb7d3bc84ff04e709d635f60e7224688 - logsupport.dll (VMProtected backdoor)
1395B863AE5697EA5096F4E2EBEF54FC20D5380B6921F8835D1F030F2BA16A40 - pcaudit.bat

Other samples sqllauncher.dll, logon.dll, nwsapagent.dll

5634d08044ec48a9d9ac3f91ce622dedec7d63e72dc657080db03d5de04ddade
1f4fb2727453b00ee711be0bc828627f5a70c0b77e24648419e293207fa4f7ed
4ba9324f9566144ff868b4c3bae61d5459007bc44ffd4429d14eeb6b568dbb69
e4136e56debdd6ab1dd159c9f91674cf9c4c8d8deb8924ba280f0a4408235a07
15277186bc004073952ea0e113dde8f2f0f724393ff5c0b9bcaeb07d0fe683f1
229deb91f1d858ff845e54b2dc8c668b81e906ea6a71f74250ffd12d7da68f3f
4a196919cff93d11df04c607508be62408267a75a1f24a8282ef6e1b58163663
28cd4373a853c41cd06b9eca9b37541f04be96fe0061652e39208b0fadd5f6de
40c4f8e00e04997a3d531930163501f53154b4c0caa220f835dab0f1ea51c5d1
c56b1f5995b19bb1fe039a9d9c9c72f6d690b8630fd78ab3fdf9beba0b4f419c
d1ac8a6c3cf007b18c73d63cd823617362b7ccebb59400af2f416226803e2076
f10c854dbb5f84ec06447919a5b93efc971d6802b5f74a1fb3f98dc74138b13c
2552c9916e5ef255d9d26097827e87f851f1671680f10236df67fa9423f35e1a
214ea738c87c6b6b9353d81b47bbbf20955dace611263f2588ce268ff8901079
19abf8d8bc1d32516279ad836fd8ca8334a270f3804a129f09c642c8d88da2a8
500fb98f4a00ede301005ef99fddf7827d97a8fe8e4e6533cb752d72db178845
c2b25c60cbdb937de9a4d94c02c4240ab1f18ef2d92a01a7b18fc6aebb6e4e29
1414e4b40fa439ab51967bfcb09cf570167b0bd404459fc39b52c10f21fd11e2
4281f7139dd68ff6e91ac7336c373bc241780ce832fa1a66ed2fe1d6498beb6a
7648dc0e448cef15b2119fb984531100b5d7c0b239b33ab734c04ccecacee582
d01f5735d3471baee37fd83878cf7282775c89e1b620c7d1c977184d69509413
57b1f02575130eedfccefb272c1f1bdf2992c943e263fd6c74e1ab387b301415
e8781cae3ad703a21fce77685fa5999976abe88b5ce9b46382a3ebc3ef1f3f2f
673136d378204a0d8623cd850d16c6cc64821c1ce93bf289029d1c524832ee07
6ba5decaef8ea3f62104b854ddac46d2534c3b8db9a9a871eb3c184a26c17a09
a45fa366a6fcdf1e86f6e763e719d5ce31287530a990dedd8c605d0f5712d020
234b97651d55c6c06c4ae6d90ec2659af1d71492253410c4d6c2c4622a909a6f
5ba5e160a28f884e0542656bb46184226d4f07156c103dfcd11485a2dd20c8a9
b60b06586f89b0864c1f14f6f4a5720a766c57af696c775c09c25a78be95fac4
ba57f663e345d9eaad4411a7536fa57bf16e0e01ba5ba466b06c9ba75f38d724
ee2a886aa8635319670841cec25ea3139bf8750d62e277eb4acf4413b0ca20d9
3dc220e9365a4c05ecb7b94ca7edb29af2d9b8fe76fcf401ebfdcd420f01abe7
35900c8990dfa65253d3862b60321eb692bde2aeb1a8f1030747e287107c19d9
028acf392ec5dc799b9f3e7a72541d99cf3fba94f7f6d4cbcaf284dbe98b3006
1a0e60bdaed45635be8dfe2ada5b3897c5346604d9c29df3db6e6e2f7ea5f5fd
ab02b42d311984bf1e868b800c702dce49745919805335827af10038c32d4868
71d186fbb0fb0ee98b4376708af8e5603525d8191cab97ff573d658b4860f073
82cd37d76a491427f3da34394fca46049013c9212f6a78b15c622d9ef37bb469
edc4fdd1485a626c5550cb32d655e80dd2ef439ce79aa7376499f1e24960b2b4
313687a206b1c55d5d9f410ac567076ae66579dd804e2615223e2e0e3b29b56b
79eda911b12206b3275db6f56cd91eb33632ba637147ec79cab6637dd42500a3
9a1c94a75dad7226645024b6720fc04418d4e9ff94c528c89420858bc70f9387
35a8795e0418321428d83ef7c96022c04ad6e68b92a6ffcaaec73372b183d753
61e4c91803d0d495681400fb9053b434f4852fdad1a305bbcec45ee0b2926d6a
068998cd3bd4e6edc5a419ac77a974fadf4320967dafbd0de0dbbfa81e6e8953
e899abc741a29c1ceee2e7dc8ad91dde9686c2f0c9d7e146cc7c27b8d1fd1a97
15aadb3405647c12353a2f26d19aa4c465d2196ff61e5a48a8305cc5cc877ca5
05a307b69c3bcce5a609d52d8eb8ba19c4056f58931fd219f0caccce3677f83a
cb898f27bcf98a35cd2305a3db4f9843650a5bacd947c6b3d08dc634f20eb778
75b835675aab89741eb67375b186b22abbc387982d2dd3c70e10b381586bc582
f0d1b39a6f97a5e234c1948e9b49265a1417aba730170772e00e0e870fa1b11d
e2c9e5e04fecf993a9f3c17f0ac1330d403debdd28a9dda06986d38a329f1a14
eee13a15e042b897404bedce7eb6285ad505d61a46a01474afcc959a16617834
8002b33fdf1caec503a25ee39297005e84c6af169df65d8be82e2465baa9b2b0
78c2771d13c2fcce8dad05dee29e7364545896d4621a5a6f84501db3f286f5b7
c2a1dd4557c1574b2be237c28953e57b02861343f022df6d7327e6dc257a518f
69cbbb0b0ed3187ef27498e8d07dab9a7b4f31d350aac4cc9021ef77f81c22a7
d282e20f90c0509ae03f83443334d974112c8eb2035e5846b6fe280470baef28
092a9b294d8c550b5f9c85d96afe941160e0080044848669c02ccb905fbd71ec
42d096ea06b378d9e66e090a3e721aff44530bfa08e0b589e965d1568f0052d5
12850accf45e12a8986c680995d290848ddc1f64c221274692eb1686fb41f4e0
390a1dffc412e3a1fdc56d6da4d507510d8f9120b0f203f8894bd32b93fc6c84
bbc5a9a49757abdbfcaca22f3b2a8b7e79f61c30d31812a0ccc316536eb58ca3
180d33c420bdd47a06ea3f2681a5431529a93f18d51d5c0d8f38948a1bd28869
6edce6f1ba33588bd0717d44ffd05a9e0cd475ac90dc5a36dd58b9b62f9f1964
c4f87948950a29c89fbf3826a2b51fd7e10626c00e15c05b0cce68456a44b5dc
3b9b5330907f4349e54d42acd819fdb185d49f3cb479f729b029e6d935f89060
7d2d3f5b704bcad64dcdd786160ab3cdd2b00b47bf3319d54e908d9b413138ff
8237305f48abb0cad1f9643464c8d4ab0657b58539961bdcb2d467b5a201a84f
f5a1f936afd93847b0e492a9b477c45727759cbc44078e641aa184f2b94f8e28
a463786bac19e0630c41b1c400aaab2463fc51b031c3d32fee96d0f5615243ad
15108314029f5ecd8f11ab4f5c22d0d77fe9c2c1004756c3cb2dc49e2a930da6
883ea7e0a278ee0d983ae92d26fa16f7400f0305bb5f852a870831a2a265353f
c5204f6a67a2ed5aa5f82f1a07ff0a74147873237f362a63acc3c61f7918e828
ba6f73a6d26019f4bd084d36217291bf375663383a63d2cbcd6ba44a291df477

Samples logsupport.dll

1546d181f9562c85f56a5db5e46a163d25d973fa348e214b5ff032deebb35c58
d5c1e947d84791ac8e6218652372905ddb7d3bc84ff04e709d635f60e7224688
C4f87948950a29c89fbf3826a2b51fd7e10626c00e15c05b0cce68456a44b5dc (dropper)

Samples batch files (pcaudit.bat, settings.bat)

1395b863ae5697ea5096f4e2ebef54fc20d5380b6921f8835d1f030f2ba16a40
52edbfcaf97608518407a59cda9b5dc3ae609d8c5425374aa1fcc8839b310c9d

Samples coinfections:

fc66353fb26fd82227700beb47c4fa90118cea151eb1689fd8bf48e93fda71d0 (Mimikatz)
2615e5585a5db77b973c74e0a87551978a9322c820362a148a995e571923b59c (WMI)
3a3b05a08180013a37fbdbe65e3fe017440c1cb34289647ef1f60316964ef6a9 (Gh0st RAT)

Network indicators

C&C servers

45.76.83[.]110
45.63.114[.]127
45.76.132[.]207
45.32.177[.]101
80.240.18[.]102
95.179.168[.]51
95.179.134[.]116
108.61.164[.]72
136.244.106[.]40
151.236.28[.]11
104.194.215[.]194
kliju.wulinon[.]com
offcialwrittencomplaint[.]com
heroisshit[.]com
update.heroisshit[.]com
runtime.heroisshit[.]com
ans.moutw[.]com
612bb.sheetsbrandnewday[.]com
qrot.apjgtipty[.]com
bzz.utakatarefrain[.]com
app.obokay[.]com
nan.thanhale[.]com
bestrongerlouder[.]com
log.bestrongerlouder[.]com
9hnvb8917gzr[.]com
future-hope2011[.]com
yuemt.zzux[.]com