SYMBOLCOMMON_NAMEaka. SYNONYMS
win.owlproxy (Back to overview)

Owlproxy

There is no description at this point.

References
2022-06-30KasperskyPierre Delcher
@online{delcher:20220630:sessionmanager:f171df2, author = {Pierre Delcher}, title = {{The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact}}, date = {2022-06-30}, organization = {Kaspersky}, url = {https://securelist.com/the-sessionmanager-iis-backdoor/106868/}, language = {English}, urldate = {2022-07-05} } The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
MimiKatz Owlproxy SessionManager
2021-06-09ESET ResearchThomas Dupuy, Matthieu Faou
@techreport{dupuy:20210609:gelsemium:05483d4, author = {Thomas Dupuy and Matthieu Faou}, title = {{Gelsemium: When threat actors go gardening}}, date = {2021-06-09}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf}, language = {English}, urldate = {2021-06-09} } Gelsemium: When threat actors go gardening
Owlproxy
2021-04-29Lab52Lab52
@online{lab52:20210429:chimera:0540b27, author = {Lab52}, title = {{Chimera APT updates on its OwlProxy malware}}, date = {2021-04-29}, organization = {Lab52}, url = {https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/}, language = {English}, urldate = {2021-05-04} } Chimera APT updates on its OwlProxy malware
Owlproxy
2020-10-14Medium CyCraftCyCraft Technology Corp
@online{corp:20201014:taiwan:7628b24, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware}}, date = {2020-10-14}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20}, language = {English}, urldate = {2020-10-23} } Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware
Owlproxy
Yara Rules
[TLP:WHITE] win_owlproxy_auto (20230407 | Detects win.owlproxy.)
rule win_owlproxy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.owlproxy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4833c4 4889842470020000 488bfa 4c8bf1 48894c2478 4533e4 4489a42498000000 }
            // n = 7, score = 200
            //   4833c4               | dec                 esp
            //   4889842470020000     | mov                 eax, edi
            //   488bfa               | dec                 eax
            //   4c8bf1               | lea                 eax, [edi + ebx]
            //   48894c2478           | dec                 eax
            //   4533e4               | mov                 edi, dword ptr [esp + 0x40]
            //   4489a42498000000     | dec                 eax

        $sequence_1 = { e8???????? 4881c420020000 415f 415e 5f }
            // n = 5, score = 200
            //   e8????????           |                     
            //   4881c420020000       | nop                 
            //   415f                 | mov                 dword ptr [esp + 0x20], 3
            //   415e                 | dec                 eax
            //   5f                   | lea                 edx, [0x1584d]

        $sequence_2 = { 4885c0 7403 f0ff00 488d4128 41b806000000 488d15c8a50100 483950f0 }
            // n = 7, score = 200
            //   4885c0               | dec                 eax
            //   7403                 | lea                 eax, [0x20777]
            //   f0ff00               | dec                 eax
            //   488d4128             | mov                 dword ptr [esp + 0x20], eax
            //   41b806000000         | dec                 eax
            //   488d15c8a50100       | lea                 edx, [esp + 0x20]
            //   483950f0             | dec                 eax

        $sequence_3 = { e8???????? 488b4527 48897d9f 48897da7 48837de700 742c 4c8bc8 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488b4527             | mov                 dword ptr [esp + 0x28], ebp
            //   48897d9f             | dec                 eax
            //   48897da7             | mov                 dword ptr [esp + 0x20], ebp
            //   48837de700           | dec                 eax
            //   742c                 | lea                 ecx, [esp + 0x48]
            //   4c8bc8               | dec                 eax

        $sequence_4 = { 483bdf 756d 488bc7 482bc3 4883f801 7361 488bc6 }
            // n = 7, score = 200
            //   483bdf               | cmp                 ecx, eax
            //   756d                 | jne                 0x2bd
            //   488bc7               | dec                 eax
            //   482bc3               | mov                 edx, ecx
            //   4883f801             | jne                 0x2c1
            //   7361                 | dec                 eax
            //   488bc6               | lea                 ecx, [0x1ff02]

        $sequence_5 = { 482bc1 48ffc8 4883f801 730c 488d0d7c6d0200 e8???????? 492bc9 }
            // n = 7, score = 200
            //   482bc1               | dec                 eax
            //   48ffc8               | mov                 ecx, eax
            //   4883f801             | inc                 ecx
            //   730c                 | call                dword ptr [eax]
            //   488d0d7c6d0200       | inc                 eax
            //   e8????????           |                     
            //   492bc9               | test                bh, bh

        $sequence_6 = { 488d8a40000000 e9???????? 488d8a10010000 e9???????? 488d8a28000000 e9???????? }
            // n = 6, score = 200
            //   488d8a40000000       | dec                 eax
            //   e9????????           |                     
            //   488d8a10010000       | lea                 ecx, [0x10efb]
            //   e9????????           |                     
            //   488d8a28000000       | dec                 eax
            //   e9????????           |                     

        $sequence_7 = { 488d0d7ee30000 4c8bc7 e8???????? 488b03 66443920 0f8472010000 488b07 }
            // n = 7, score = 200
            //   488d0d7ee30000       | inc                 ebp
            //   4c8bc7               | xor                 edi, edi
            //   e8????????           |                     
            //   488b03               | inc                 esp
            //   66443920             | mov                 dword ptr [ebp - 0x59], edi
            //   0f8472010000         | dec                 eax
            //   488b07               | lea                 edi, [ecx + 8]

        $sequence_8 = { 488bfa 488bd9 896c2440 4885c0 7523 48c741180f000000 48896910 }
            // n = 7, score = 200
            //   488bfa               | mov                 edx, dword ptr [esp + 0x78]
            //   488bd9               | dec                 eax
            //   896c2440             | lea                 ecx, [esi + eax]
            //   4885c0               | dec                 esp
            //   7523                 | sub                 eax, edx
            //   48c741180f000000     | dec                 eax
            //   48896910             | mov                 ecx, dword ptr [edi]

        $sequence_9 = { 480f42d1 488d4c2428 e8???????? 488b4c2430 4c8b4c2428 4a8d040f 4885c9 }
            // n = 7, score = 200
            //   480f42d1             | sar                 eax, 5
            //   488d4c2428           | and                 ecx, 0x1f
            //   e8????????           |                     
            //   488b4c2430           | dec                 eax
            //   4c8b4c2428           | mov                 eax, dword ptr [edx + eax*8]
            //   4a8d040f             | dec                 eax
            //   4885c9               | imul                ecx, ecx, 0x58

    condition:
        7 of them and filesize < 475136
}
Download all Yara Rules