SYMBOLCOMMON_NAMEaka. SYNONYMS
win.owlproxy (Back to overview)

Owlproxy

There is no description at this point.

References
2022-06-30KasperskyPierre Delcher
@online{delcher:20220630:sessionmanager:f171df2, author = {Pierre Delcher}, title = {{The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact}}, date = {2022-06-30}, organization = {Kaspersky}, url = {https://securelist.com/the-sessionmanager-iis-backdoor/106868/}, language = {English}, urldate = {2022-07-05} } The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
MimiKatz Owlproxy SessionManager
2021-06-09ESET ResearchThomas Dupuy, Matthieu Faou
@techreport{dupuy:20210609:gelsemium:05483d4, author = {Thomas Dupuy and Matthieu Faou}, title = {{Gelsemium: When threat actors go gardening}}, date = {2021-06-09}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf}, language = {English}, urldate = {2021-06-09} } Gelsemium: When threat actors go gardening
Owlproxy
2021-04-29Lab52Lab52
@online{lab52:20210429:chimera:0540b27, author = {Lab52}, title = {{Chimera APT updates on its OwlProxy malware}}, date = {2021-04-29}, organization = {Lab52}, url = {https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/}, language = {English}, urldate = {2021-05-04} } Chimera APT updates on its OwlProxy malware
Owlproxy
2020-10-14Medium CyCraftCyCraft Technology Corp
@online{corp:20201014:taiwan:7628b24, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware}}, date = {2020-10-14}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20}, language = {English}, urldate = {2020-10-23} } Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware
Owlproxy
Yara Rules
[TLP:WHITE] win_owlproxy_auto (20230125 | Detects win.owlproxy.)
rule win_owlproxy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.owlproxy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d9520060000 4c8d4c244c 4803d1 488d0d72ab0100 442bc6 }
            // n = 5, score = 200
            //   488d9520060000       | mov                 dword ptr [ebp + 0x90], 0x18
            //   4c8d4c244c           | dec                 eax
            //   4803d1               | lea                 ecx, [ebp]
            //   488d0d72ab0100       | inc                 esp
            //   442bc6               | mov                 dword ptr [esp + 0x80], esi

        $sequence_1 = { 4c896c2450 4c896c2458 8bd6 488d4c2448 }
            // n = 4, score = 200
            //   4c896c2450           | dec                 ecx
            //   4c896c2458           | add                 edi, 0x18
            //   8bd6                 | inc                 ecx
            //   488d4c2448           | inc                 esp

        $sequence_2 = { 488d0583160200 488903 488d4c2428 e8???????? 488b08 48894b10 488b4808 }
            // n = 7, score = 200
            //   488d0583160200       | inc                 ebp
            //   488903               | xor                 esp, esp
            //   488d4c2428           | dec                 eax
            //   e8????????           |                     
            //   488b08               | cwde                
            //   48894b10             | dec                 eax
            //   488b4808             | test                eax, eax

        $sequence_3 = { 4883ec20 488bd9 488d3d3c77feff 488bcf e8???????? 85c0 7422 }
            // n = 7, score = 200
            //   4883ec20             | mov                 eax, 0xff
            //   488bd9               | dec                 eax
            //   488d3d3c77feff       | mov                 ebx, ecx
            //   488bcf               | dec                 eax
            //   e8????????           |                     
            //   85c0                 | cmp                 edx, eax
            //   7422                 | ja                  0x1fd3

        $sequence_4 = { 488b5c2428 4885db 7442 488b7d87 483bdf 7431 0f1f440000 }
            // n = 7, score = 200
            //   488b5c2428           | mov                 dword ptr [ecx + 0x10], edi
            //   4885db               | dec                 ecx
            //   7442                 | cmp                 dword ptr [eax + 0x18], 0x10
            //   488b7d87             | jb                  0x189d
            //   483bdf               | dec                 ecx
            //   7431                 | mov                 ecx, dword ptr [eax]
            //   0f1f440000           | dec                 esp

        $sequence_5 = { 488d15e7d60200 66443935???????? 7505 458bc6 eb0f 4983c8ff 49ffc0 }
            // n = 7, score = 200
            //   488d15e7d60200       | mov                 dword ptr [esp + 8], ebx
            //   66443935????????     |                     
            //   7505                 | push                edi
            //   458bc6               | dec                 eax
            //   eb0f                 | sub                 esp, 0x20
            //   4983c8ff             | dec                 eax
            //   49ffc0               | lea                 ebx, [0x18e23]

        $sequence_6 = { 4889742420 57 4883ec30 33c0 488bf2 488bd9 488901 }
            // n = 7, score = 200
            //   4889742420           | inc                 esp
            //   57                   | mov                 eax, dword ptr [esp + 0x28]
            //   4883ec30             | dec                 eax
            //   33c0                 | mov                 edx, dword ptr [esp + 0x20]
            //   488bf2               | inc                 esp
            //   488bd9               | sub                 eax, edx
            //   488901               | dec                 esp

        $sequence_7 = { 4c8d05bbb30000 418d5216 e8???????? 85c0 0f8544090000 b805000000 884303 }
            // n = 7, score = 200
            //   4c8d05bbb30000       | nop                 
            //   418d5216             | dec                 esp
            //   e8????????           |                     
            //   85c0                 | mov                 esi, dword ptr [ebp - 0x60]
            //   0f8544090000         | dec                 ebp
            //   b805000000           | mov                 dword ptr [esi + 0x10], ebp
            //   884303               | dec                 eax

        $sequence_8 = { e8???????? 488b542438 488b4c2430 4c8b4c2428 4885c9 7412 c60100 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488b542438           | dec                 edx
            //   488b4c2430           | inc                 ecx
            //   4c8b4c2428           | or                  edx, 0xffffff00
            //   4885c9               | inc                 ecx
            //   7412                 | inc                 edx
            //   c60100               | inc                 ebx

        $sequence_9 = { 4c2bc1 8bd3 4c2bc5 eb44 0fbe38 498bd6 498bde }
            // n = 7, score = 200
            //   4c2bc1               | inc                 ecx
            //   8bd3                 | cmp                 dword ptr [esi + 0x24], 4
            //   4c2bc5               | jne                 0x411
            //   eb44                 | dec                 ecx
            //   0fbe38               | mov                 edx, dword ptr [esi + 0x38]
            //   498bd6               | dec                 eax
            //   498bde               | mov                 dword ptr [esp + 0x60], 0xf

    condition:
        7 of them and filesize < 475136
}
Download all Yara Rules