SYMBOLCOMMON_NAMEaka. SYNONYMS
win.owlproxy (Back to overview)

Owlproxy

VTCollection    

There is no description at this point.

References
2022-06-30KasperskyPierre Delcher
The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
MimiKatz Owlproxy SessionManager
2021-06-09ESET ResearchMatthieu Faou, Thomas Dupuy
Gelsemium: When threat actors go gardening
Owlproxy
2021-04-29Lab52Lab52
Chimera APT updates on its OwlProxy malware
Owlproxy
2020-10-14Medium CyCraftCyCraft Technology Corp
Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware
Owlproxy
Yara Rules
[TLP:WHITE] win_owlproxy_auto (20260504 | Detects win.owlproxy.)
rule win_owlproxy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.owlproxy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883ec70 488b05???????? 4833c4 4889442468 4c8d4c2450 baffff0000 41b808000000 }
            // n = 7, score = 200
            //   4883ec70             | dec                 esp
            //   488b05????????       |                     
            //   4833c4               | mov                 ebp, edx
            //   4889442468           | dec                 esp
            //   4c8d4c2450           | mov                 esi, ecx
            //   baffff0000           | dec                 ebp
            //   41b808000000         | cmp                 eax, ecx

        $sequence_1 = { ffc0 420fb61419 41ffc2 4232540eff 418851ff 48ffcf 7586 }
            // n = 7, score = 200
            //   ffc0                 | dec                 eax
            //   420fb61419           | mov                 dword ptr [ebp - 0x80], edi
            //   41ffc2               | mov                 byte ptr [esp + 0x70], al
            //   4232540eff           | dec                 eax
            //   418851ff             | mov                 dword ptr [esp + 0x40], edi
            //   48ffcf               | dec                 eax
            //   7586                 | mov                 edi, eax

        $sequence_2 = { 488b8d88000000 4885c9 7426 e8???????? 48c7858800000000000000 }
            // n = 5, score = 200
            //   488b8d88000000       | dec                 eax
            //   4885c9               | lea                 ecx, [ebp - 0x30]
            //   7426                 | dec                 eax
            //   e8????????           |                     
            //   48c7858800000000000000     | xor    eax, esp

        $sequence_3 = { ffc0 4d8d5201 413bc3 7cf2 458bc1 4c8d542420 66660f1f840000000000 }
            // n = 7, score = 200
            //   ffc0                 | mov                 eax, edi
            //   4d8d5201             | dec                 eax
            //   413bc3               | mov                 dword ptr [esp + 0x40], edi
            //   7cf2                 | test                esi, esi
            //   458bc1               | jle                 0x140c
            //   4c8d542420           | nop                 word ptr [eax + eax]
            //   66660f1f840000000000     | dec    eax

        $sequence_4 = { 6641898448b82c0300 ffc2 ebe2 8bd7 89542420 81fa01010000 }
            // n = 6, score = 200
            //   6641898448b82c0300     | dec    eax
            //   ffc2                 | mov                 ecx, dword ptr [edi]
            //   ebe2                 | dec                 eax
            //   8bd7                 | mov                 dword ptr [edi + 0x18], 0xf
            //   89542420             | dec                 eax
            //   81fa01010000         | mov                 ecx, dword ptr [ecx]

        $sequence_5 = { 483bf0 0f878c000000 4c8d7c2450 4c2bfe 483bdf 756d }
            // n = 6, score = 200
            //   483bf0               | mov                 dword ptr [eax + ecx*2 + 0x32cb8], eax
            //   0f878c000000         | inc                 edx
            //   4c8d7c2450           | jge                 0x6eb
            //   4c2bfe               | dec                 eax
            //   483bdf               | arpl                di, cx
            //   756d                 | mov                 al, byte ptr [ecx + ebx + 0x119]

        $sequence_6 = { e9???????? 488d8a20000000 e9???????? 488d8ae8000000 e9???????? 488d8a70000000 e9???????? }
            // n = 7, score = 200
            //   e9????????           |                     
            //   488d8a20000000       | xor                 eax, esp
            //   e9????????           |                     
            //   488d8ae8000000       | dec                 eax
            //   e9????????           |                     
            //   488d8a70000000       | mov                 dword ptr [ebp + 0xae0], eax
            //   e9????????           |                     

        $sequence_7 = { 66443920 7417 8b15???????? 488d0d28d90000 4c8bc3 ffca e8???????? }
            // n = 7, score = 200
            //   66443920             | inc                 ebx
            //   7417                 | dec                 ecx
            //   8b15????????         |                     
            //   488d0d28d90000       | cmp                 edi, ecx
            //   4c8bc3               | jne                 0xb51
            //   ffca                 | dec                 ecx
            //   e8????????           |                     

        $sequence_8 = { e8???????? eb75 4584c0 745b 4883fa08 7355 4c89742440 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   eb75                 | dec                 ebp
            //   4584c0               | mov                 edx, dword ptr [eax + 0x18]
            //   745b                 | dec                 ecx
            //   4883fa08             | cmp                 edx, 0x10
            //   7355                 | jb                  0x1f27
            //   4c89742440           | dec                 ecx

        $sequence_9 = { 488d15752e0100 488bcf ff14c2 85c0 7438 488b442448 }
            // n = 6, score = 200
            //   488d15752e0100       | mov                 ecx, esi
            //   488bcf               | dec                 ebp
            //   ff14c2               | mov                 ecx, dword ptr [edi]
            //   85c0                 | inc                 ecx
            //   7438                 | movzx               eax, byte ptr [edx + edx]
            //   488b442448           | inc                 esp

    condition:
        7 of them and filesize < 475136
}
Download all Yara Rules