SYMBOLCOMMON_NAMEaka. SYNONYMS
win.owlproxy (Back to overview)

Owlproxy


There is no description at this point.

References
2021-06-09ESET ResearchThomas Dupuy, Matthieu Faou
@techreport{dupuy:20210609:gelsemium:05483d4, author = {Thomas Dupuy and Matthieu Faou}, title = {{Gelsemium: When threat actors go gardening}}, date = {2021-06-09}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf}, language = {English}, urldate = {2021-06-09} } Gelsemium: When threat actors go gardening
Owlproxy
2021-04-29Lab52Lab52
@online{lab52:20210429:chimera:0540b27, author = {Lab52}, title = {{Chimera APT updates on its OwlProxy malware}}, date = {2021-04-29}, organization = {Lab52}, url = {https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/}, language = {English}, urldate = {2021-05-04} } Chimera APT updates on its OwlProxy malware
Owlproxy
2020-10-14Medium CyCraftCyCraft Technology Corp
@online{corp:20201014:taiwan:7628b24, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware}}, date = {2020-10-14}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20}, language = {English}, urldate = {2020-10-23} } Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware
Owlproxy
Yara Rules
[TLP:WHITE] win_owlproxy_auto (20220411 | Detects win.owlproxy.)
rule win_owlproxy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.owlproxy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8b00 ba01000000 488bc8 41ff10 90 488b0f }
            // n = 6, score = 200
            //   4c8b00               | cmp                 edi, 1
            //   ba01000000           | setne               al
            //   488bc8               | test                eax, eax
            //   41ff10               | inc                 ecx
            //   90                   | mov                 eax, esi
            //   488b0f               | jmp                 0x468

        $sequence_1 = { e8???????? 488d041f 488b7c2440 48894608 488b5c2448 4883c420 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   488d041f             | push                ebp
            //   488b7c2440           | push                esi
            //   48894608             | push                edi
            //   488b5c2448           | dec                 eax
            //   4883c420             | sub                 esp, 0x50

        $sequence_2 = { 488945cf 488b00 488bcb ff5008 4c8d45cf }
            // n = 5, score = 200
            //   488945cf             | jne                 0x1a8
            //   488b00               | mov                 eax, dword ptr [edx]
            //   488bcb               | movaps              xmmword ptr [ebp + 0x60], xmm1
            //   ff5008               | movaps              xmmword ptr [ebp + 0x70], xmm0
            //   4c8d45cf             | movaps              xmmword ptr [ebp + 0x80], xmm1

        $sequence_3 = { 740e 4c8b00 ba01000000 488bc8 41ff10 488b5c2430 488b6c2438 }
            // n = 7, score = 200
            //   740e                 | mov                 eax, dword ptr [ebp + 0x34]
            //   4c8b00               | and                 eax, 2
            //   ba01000000           | dec                 eax
            //   488bc8               | cmp                 dword ptr [edx + 0x18], 8
            //   41ff10               | dec                 eax
            //   488b5c2430           | mov                 dword ptr [esp + 0xa0], esi
            //   488b6c2438           | jb                  0x3f4

        $sequence_4 = { 498bc6 eb49 ff15???????? 90 4883bd8800000010 7209 }
            // n = 6, score = 200
            //   498bc6               | mov                 dword ptr [ecx + 8], eax
            //   eb49                 | dec                 eax
            //   ff15????????         |                     
            //   90                   | mov                 dword ptr [ecx + 0x10], eax
            //   4883bd8800000010     | xor                 eax, eax
            //   7209                 | cmp                 cl, 0xa

        $sequence_5 = { 48c745ef0f000000 4c897de7 c645d700 41b804000000 488d154d570200 488d4dd7 e8???????? }
            // n = 7, score = 200
            //   48c745ef0f000000     | lea                 ecx, dword ptr [esp + 0x150]
            //   4c897de7             | nop                 
            //   c645d700             | dec                 eax
            //   41b804000000         | lea                 edx, dword ptr [esp + 0x150]
            //   488d154d570200       | jbe                 0x8c1
            //   488d4dd7             | inc                 eax
            //   e8????????           |                     

        $sequence_6 = { 480f4355a8 4533c0 488b4d98 ff15???????? 897da0 0f1f4000 }
            // n = 6, score = 200
            //   480f4355a8           | dec                 esp
            //   4533c0               | mov                 ecx, eax
            //   488b4d98             | dec                 eax
            //   ff15????????         |                     
            //   897da0               | mov                 esi, ecx
            //   0f1f4000             | dec                 ebp

        $sequence_7 = { 488bfa 488bd9 896c2430 4885c0 7523 48c7411807000000 48896910 }
            // n = 7, score = 200
            //   488bfa               | test                eax, eax
            //   488bd9               | je                  0xf46
            //   896c2430             | dec                 esp
            //   4885c0               | lea                 eax, dword ptr [ebp + 0x90]
            //   7523                 | dec                 eax
            //   48c7411807000000     | lea                 edx, dword ptr [ebp - 0x20]
            //   48896910             | dec                 eax

        $sequence_8 = { 84c0 7410 498b4610 4839442450 7605 40b701 eb03 }
            // n = 7, score = 200
            //   84c0                 | cmp                 eax, 0x3e5
            //   7410                 | jne                 0x370
            //   498b4610             | add                 ebx, dword ptr [ebp + 0x10]
            //   4839442450           | cmp                 ebx, esi
            //   7605                 | jb                  0x331
            //   40b701               | mov                 byte ptr [esp + 0x40], 0
            //   eb03                 | dec                 eax

        $sequence_9 = { 488bf1 48894d80 4c8945f0 4533ff }
            // n = 4, score = 200
            //   488bf1               | lea                 ecx, dword ptr [ebp + 0x40]
            //   48894d80             | dec                 eax
            //   4c8945f0             | mov                 dword ptr [esp + 0x90], ecx
            //   4533ff               | xor                 ebx, ebx

    condition:
        7 of them and filesize < 475136
}
Download all Yara Rules