SYMBOLCOMMON_NAMEaka. SYNONYMS
win.owlproxy (Back to overview)

Owlproxy

There is no description at this point.

References
2022-06-30KasperskyPierre Delcher
@online{delcher:20220630:sessionmanager:f171df2, author = {Pierre Delcher}, title = {{The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact}}, date = {2022-06-30}, organization = {Kaspersky}, url = {https://securelist.com/the-sessionmanager-iis-backdoor/106868/}, language = {English}, urldate = {2022-07-05} } The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
MimiKatz Owlproxy SessionManager
2021-06-09ESET ResearchThomas Dupuy, Matthieu Faou
@techreport{dupuy:20210609:gelsemium:05483d4, author = {Thomas Dupuy and Matthieu Faou}, title = {{Gelsemium: When threat actors go gardening}}, date = {2021-06-09}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf}, language = {English}, urldate = {2021-06-09} } Gelsemium: When threat actors go gardening
Owlproxy
2021-04-29Lab52Lab52
@online{lab52:20210429:chimera:0540b27, author = {Lab52}, title = {{Chimera APT updates on its OwlProxy malware}}, date = {2021-04-29}, organization = {Lab52}, url = {https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/}, language = {English}, urldate = {2021-05-04} } Chimera APT updates on its OwlProxy malware
Owlproxy
2020-10-14Medium CyCraftCyCraft Technology Corp
@online{corp:20201014:taiwan:7628b24, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware}}, date = {2020-10-14}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20}, language = {English}, urldate = {2020-10-23} } Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware
Owlproxy
Yara Rules
[TLP:WHITE] win_owlproxy_auto (20220808 | Detects win.owlproxy.)
rule win_owlproxy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.owlproxy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 48c785a800000007000000 4c89bda0000000 664489bd90000000 488d157fec0200 66833d????????00 750d }
            // n = 7, score = 200
            //   e8????????           |                     
            //   48c785a800000007000000     | mov    dword ptr [ebx + eax], ecx
            //   4c89bda0000000       | dec                 eax
            //   664489bd90000000     | lea                 eax, [0x970b]
            //   488d157fec0200       | dec                 eax
            //   66833d????????00     |                     
            //   750d                 | lea                 eax, [0x977e]

        $sequence_1 = { 488b0d???????? 488d15326d0200 488904ca 4883c428 }
            // n = 4, score = 200
            //   488b0d????????       |                     
            //   488d15326d0200       | dec                 eax
            //   488904ca             | cmovae              edx, dword ptr [esp + 0xa8]
            //   4883c428             | dec                 eax

        $sequence_2 = { 740e 4c8b00 ba01000000 488bc8 41ff10 4084ff 0f84ba000000 }
            // n = 7, score = 200
            //   740e                 | dec                 eax
            //   4c8b00               | lea                 ecx, [esp + 0x130]
            //   ba01000000           | dec                 eax
            //   488bc8               | mov                 dword ptr [edi + 0x18], 0xf
            //   41ff10               | dec                 esp
            //   4084ff               | mov                 dword ptr [edi + 0x10], esi
            //   0f84ba000000         | inc                 esp

        $sequence_3 = { 4833c4 4889442458 488bfa 488bd9 33f6 488931 }
            // n = 6, score = 200
            //   4833c4               | mov                 eax, esi
            //   4889442458           | dec                 eax
            //   488bfa               | lea                 edx, [esp + 0x38]
            //   488bd9               | dec                 eax
            //   33f6                 | mov                 ecx, eax
            //   488931               | dec                 eax

        $sequence_4 = { 488b742438 488b7c2440 4883c420 415e c3 f0ff01 488b81d8000000 }
            // n = 7, score = 200
            //   488b742438           | dec                 eax
            //   488b7c2440           | mov                 dword ptr [ebp + 0x60], eax
            //   4883c420             | dec                 eax
            //   415e                 | lea                 ecx, [esp + 0x58]
            //   c3                   | inc                 sp
            //   f0ff01               | mov                 dword ptr [ebp + 0x70], edi
            //   488b81d8000000       | dec                 eax

        $sequence_5 = { 4c89742440 4533f6 48d1e9 4c03c6 482bc1 483bc3 }
            // n = 6, score = 200
            //   4c89742440           | inc                 esp
            //   4533f6               | mov                 dword ptr [ebp + 0x1b0], edi
            //   48d1e9               | inc                 ebp
            //   4c03c6               | mov                 eax, esi
            //   482bc1               | dec                 eax
            //   483bc3               | lea                 edx, [0xe16e]

        $sequence_6 = { 4889442420 ff15???????? 488bb42490000000 48c7431807000000 }
            // n = 4, score = 200
            //   4889442420           | mov                 ebx, ecx
            //   ff15????????         |                     
            //   488bb42490000000     | dec                 eax
            //   48c7431807000000     | mov                 ecx, dword ptr [ecx + 8]

        $sequence_7 = { 4889442448 488d542448 488d4c2430 e8???????? 488d0592180200 4889442430 488d15eed00200 }
            // n = 7, score = 200
            //   4889442448           | dec                 eax
            //   488d542448           | mov                 dword ptr [esi], ebp
            //   488d4c2430           | dec                 eax
            //   e8????????           |                     
            //   488d0592180200       | mov                 dword ptr [esi + 8], edi
            //   4889442430           | dec                 esp
            //   488d15eed00200       | mov                 eax, dword ptr [eax]

        $sequence_8 = { 488d0df56c0200 e8???????? 492bc9 48ffc1 492bd1 4c8bc2 49d1e8 }
            // n = 7, score = 200
            //   488d0df56c0200       | dec                 eax
            //   e8????????           |                     
            //   492bc9               | mov                 dword ptr [ebx + 0x30], eax
            //   48ffc1               | mov                 dword ptr [ebx], edi
            //   492bd1               | dec                 eax
            //   4c8bc2               | test                eax, eax
            //   49d1e8               | dec                 eax

        $sequence_9 = { 488bd7 488d8c2410010000 e8???????? 448b442448 452bc6 }
            // n = 5, score = 200
            //   488bd7               | mov                 dword ptr [esp + 0x20], edi
            //   488d8c2410010000     | dec                 eax
            //   e8????????           |                     
            //   448b442448           | mov                 dword ptr [ebx + 8], eax
            //   452bc6               | xor                 edx, edx

    condition:
        7 of them and filesize < 475136
}
Download all Yara Rules