SYMBOLCOMMON_NAMEaka. SYNONYMS
win.owlproxy (Back to overview)

Owlproxy


There is no description at this point.

References
2021-06-09ESET ResearchThomas Dupuy, Matthieu Faou
@techreport{dupuy:20210609:gelsemium:05483d4, author = {Thomas Dupuy and Matthieu Faou}, title = {{Gelsemium: When threat actors go gardening}}, date = {2021-06-09}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf}, language = {English}, urldate = {2021-06-09} } Gelsemium: When threat actors go gardening
Owlproxy
2021-04-29Lab52Lab52
@online{lab52:20210429:chimera:0540b27, author = {Lab52}, title = {{Chimera APT updates on its OwlProxy malware}}, date = {2021-04-29}, organization = {Lab52}, url = {https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/}, language = {English}, urldate = {2021-05-04} } Chimera APT updates on its OwlProxy malware
Owlproxy
2020-10-14Medium CyCraftCyCraft Technology Corp
@online{corp:20201014:taiwan:7628b24, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware}}, date = {2020-10-14}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20}, language = {English}, urldate = {2020-10-23} } Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware
Owlproxy
Yara Rules
[TLP:WHITE] win_owlproxy_auto (20211008 | Detects win.owlproxy.)
rule win_owlproxy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.owlproxy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b4dd7 e8???????? 90 488b5c2428 4885db 7442 }
            // n = 6, score = 200
            //   488b4dd7             | mov                 ecx, ebx
            //   e8????????           |                     
            //   90                   | nop                 
            //   488b5c2428           | dec                 eax
            //   4885db               | mov                 eax, dword ptr [esp + 0xf8]
            //   7442                 | dec                 eax

        $sequence_1 = { 4c8d0de1560100 33d2 4d8bc1 413b08 7412 ffc2 4983c010 }
            // n = 7, score = 200
            //   4c8d0de1560100       | dec                 eax
            //   33d2                 | mov                 ecx, dword ptr [ebp + 0x17]
            //   4d8bc1               | dec                 eax
            //   413b08               | test                ecx, ecx
            //   7412                 | je                  0x14b6
            //   ffc2                 | nop                 
            //   4983c010             | dec                 eax

        $sequence_2 = { 488bcf e9???????? 83f804 0f8584000000 498b5638 48c74424780f000000 }
            // n = 6, score = 200
            //   488bcf               | mov                 dword ptr [esp + 0x30], 1
            //   e9????????           |                     
            //   83f804               | mov                 dword ptr [esp + 0x28], eax
            //   0f8584000000         | dec                 eax
            //   498b5638             | lea                 eax, dword ptr [ebp + 0x70]
            //   48c74424780f000000     | dec    esp

        $sequence_3 = { 7539 488d053d880200 4889442448 488d542448 488d4c2430 e8???????? }
            // n = 6, score = 200
            //   7539                 | dec                 eax
            //   488d053d880200       | cmp                 dword ptr [ecx + 0x150], 0
            //   4889442448           | dec                 eax
            //   488d542448           | mov                 edi, ecx
            //   488d4c2430           | dec                 eax
            //   e8????????           |                     

        $sequence_4 = { e8???????? 440fb785c0060000 4c8d8dc0050000 488d15703c0200 488d8dd0060000 e8???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   440fb785c0060000     | mov                 dword ptr [ebx + 0x20], edx
            //   4c8d8dc0050000       | dec                 eax
            //   488d15703c0200       | lea                 ecx, dword ptr [ebx + 0x28]
            //   488d8dd0060000       | inc                 eax
            //   e8????????           |                     

        $sequence_5 = { 4c89742438 4885db 7417 488bcb e8???????? 4c89742440 4c89742448 }
            // n = 7, score = 200
            //   4c89742438           | jne                 0x6e
            //   4885db               | inc                 esp
            //   7417                 | mov                 eax, dword ptr [edi]
            //   488bcb               | dec                 eax
            //   e8????????           |                     
            //   4c89742440           | mov                 ecx, dword ptr [ebx + 8]
            //   4c89742448           | inc                 ebp

        $sequence_6 = { 488bcb 488905???????? ff15???????? 488d15cb570100 483305???????? 488bcb }
            // n = 6, score = 200
            //   488bcb               | dec                 eax
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d15cb570100       | lea                 ecx, dword ptr [esp + 0x70]
            //   483305????????       |                     
            //   488bcb               | mov                 byte ptr [esp + 0x70], 0

        $sequence_7 = { 493bc1 7565 498bc9 482bc8 4883f901 7359 498bca }
            // n = 7, score = 200
            //   493bc1               | dec                 eax
            //   7565                 | lea                 edx, dword ptr [0x24f99]
            //   498bc9               | dec                 eax
            //   482bc8               | cwde                
            //   4883f901             | jne                 0x7e3
            //   7359                 | xor                 ebx, ebx
            //   498bca               | jmp                 0x7ec

        $sequence_8 = { 4885c9 7414 e8???????? 48895c2420 48895c2428 48895c2430 4883bc24e000000010 }
            // n = 7, score = 200
            //   4885c9               | inc                 esp
            //   7414                 | mov                 eax, edi
            //   e8????????           |                     
            //   48895c2420           | inc                 esp
            //   48895c2428           | sub                 eax, ebx
            //   48895c2430           | dec                 esp
            //   4883bc24e000000010     | mov    ecx, ebx

        $sequence_9 = { 7515 b001 488b4c2468 4833cc e8???????? 4883c470 }
            // n = 6, score = 200
            //   7515                 | cmp                 dword ptr [ebp + 0x1f], 0x10
            //   b001                 | jb                  0x691
            //   488b4c2468           | dec                 eax
            //   4833cc               | mov                 ecx, dword ptr [ebp + 7]
            //   e8????????           |                     
            //   4883c470             | dec                 eax

    condition:
        7 of them and filesize < 475136
}
Download all Yara Rules