SYMBOLCOMMON_NAMEaka. SYNONYMS
win.owlproxy (Back to overview)

Owlproxy

There is no description at this point.

References
2022-06-30KasperskyPierre Delcher
@online{delcher:20220630:sessionmanager:f171df2, author = {Pierre Delcher}, title = {{The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact}}, date = {2022-06-30}, organization = {Kaspersky}, url = {https://securelist.com/the-sessionmanager-iis-backdoor/106868/}, language = {English}, urldate = {2022-07-05} } The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
MimiKatz Owlproxy SessionManager
2021-06-09ESET ResearchThomas Dupuy, Matthieu Faou
@techreport{dupuy:20210609:gelsemium:05483d4, author = {Thomas Dupuy and Matthieu Faou}, title = {{Gelsemium: When threat actors go gardening}}, date = {2021-06-09}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf}, language = {English}, urldate = {2021-06-09} } Gelsemium: When threat actors go gardening
Owlproxy
2021-04-29Lab52Lab52
@online{lab52:20210429:chimera:0540b27, author = {Lab52}, title = {{Chimera APT updates on its OwlProxy malware}}, date = {2021-04-29}, organization = {Lab52}, url = {https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/}, language = {English}, urldate = {2021-05-04} } Chimera APT updates on its OwlProxy malware
Owlproxy
2020-10-14Medium CyCraftCyCraft Technology Corp
@online{corp:20201014:taiwan:7628b24, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware}}, date = {2020-10-14}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20}, language = {English}, urldate = {2020-10-23} } Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware
Owlproxy
Yara Rules
[TLP:WHITE] win_owlproxy_auto (20230715 | Detects win.owlproxy.)
rule win_owlproxy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.owlproxy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488905???????? 4885c0 7420 488d1511fd0000 488bcb ff15???????? 488bc8 }
            // n = 7, score = 200
            //   488905????????       |                     
            //   4885c0               | mov                 esi, dword ptr [esp + 0x38]
            //   7420                 | dec                 eax
            //   488d1511fd0000       | mov                 dword ptr [edi + 8], eax
            //   488bcb               | dec                 eax
            //   ff15????????         |                     
            //   488bc8               | add                 esp, 0x48

        $sequence_1 = { ff15???????? 3de5030000 7407 3d47270000 7528 03df 3bde }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   3de5030000           | mov                 eax, esi
            //   7407                 | dec                 eax
            //   3d47270000           | add                 esp, 0x50
            //   7528                 | inc                 ecx
            //   03df                 | pop                 esi
            //   3bde                 | pop                 esi

        $sequence_2 = { 8bd3 498bce 4d8b0f 4889442420 e8???????? 488d0575340100 4c3bf8 }
            // n = 7, score = 200
            //   8bd3                 | mov                 ebx, eax
            //   498bce               | inc                 esp
            //   4d8b0f               | mov                 edi, eax
            //   4889442420           | test                eax, eax
            //   e8????????           |                     
            //   488d0575340100       | jne                 0x63b
            //   4c3bf8               | dec                 eax

        $sequence_3 = { 488bcb 488905???????? ff15???????? 488d1527580100 483305???????? 488bcb 488905???????? }
            // n = 7, score = 200
            //   488bcb               | dec                 eax
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d1527580100       | mov                 dword ptr [esp + 0x28], eax
            //   483305????????       |                     
            //   488bcb               | dec                 eax
            //   488905????????       |                     

        $sequence_4 = { 443af8 750b 48ffc7 48ffc3 }
            // n = 4, score = 200
            //   443af8               | sub                 esp, 0xb0
            //   750b                 | dec                 eax
            //   48ffc7               | mov                 dword ptr [ebp - 0x21], 0xfffffffe
            //   48ffc3               | inc                 ecx

        $sequence_5 = { 4889442438 488bf9 488b4908 488bda 4c8d442420 488d542428 }
            // n = 6, score = 200
            //   4889442438           | dec                 eax
            //   488bf9               | lea                 ebp, [0x16c11]
            //   488b4908             | mov                 edx, 0x55
            //   488bda               | test                eax, eax
            //   4c8d442420           | jg                  0x7dd
            //   488d542428           | dec                 eax

        $sequence_6 = { 85c0 7521 448b07 488b4b08 }
            // n = 4, score = 200
            //   85c0                 | mov                 ecx, dword ptr [ebp + 0x70]
            //   7521                 | dec                 ecx
            //   448b07               | mov                 eax, dword ptr [ecx]
            //   488b4b08             | inc                 esp

        $sequence_7 = { 483305???????? 488bcb 488905???????? ff15???????? 488d15cd570100 483305???????? 488bcb }
            // n = 7, score = 200
            //   483305????????       |                     
            //   488bcb               | lea                 ecx, [ebp + 0xf]
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d15cd570100       | dec                 eax
            //   483305????????       |                     
            //   488bcb               | lea                 ecx, [ebp - 0x20]

        $sequence_8 = { 442bc3 4c8bcb 488bd3 488d8c2470010000 e8???????? 49891e 49897e08 }
            // n = 7, score = 200
            //   442bc3               | nop                 
            //   4c8bcb               | inc                 ebp
            //   488bd3               | test                esi, esi
            //   488d8c2470010000     | je                  0x805
            //   e8????????           |                     
            //   49891e               | dec                 eax
            //   49897e08             | lea                 edx, [0x251ba]

        $sequence_9 = { 90 48837c247010 720a 488b4c2458 e8???????? 48c74424700f000000 4c897c2468 }
            // n = 7, score = 200
            //   90                   | mov                 ecx, dword ptr [ebp - 0x48]
            //   48837c247010         | test                eax, eax
            //   720a                 | jne                 0x698
            //   488b4c2458           | inc                 edi
            //   e8????????           |                     
            //   48c74424700f000000     | inc    ebp
            //   4c897c2468           | xor                 eax, eax

    condition:
        7 of them and filesize < 475136
}
Download all Yara Rules