SYMBOLCOMMON_NAMEaka. SYNONYMS
win.owlproxy (Back to overview)

Owlproxy

There is no description at this point.

References
2021-06-09ESET ResearchThomas Dupuy, Matthieu Faou
@techreport{dupuy:20210609:gelsemium:05483d4, author = {Thomas Dupuy and Matthieu Faou}, title = {{Gelsemium: When threat actors go gardening}}, date = {2021-06-09}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf}, language = {English}, urldate = {2021-06-09} } Gelsemium: When threat actors go gardening
Owlproxy
2021-04-29Lab52Lab52
@online{lab52:20210429:chimera:0540b27, author = {Lab52}, title = {{Chimera APT updates on its OwlProxy malware}}, date = {2021-04-29}, organization = {Lab52}, url = {https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/}, language = {English}, urldate = {2021-05-04} } Chimera APT updates on its OwlProxy malware
Owlproxy
2020-10-14Medium CyCraftCyCraft Technology Corp
@online{corp:20201014:taiwan:7628b24, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware}}, date = {2020-10-14}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20}, language = {English}, urldate = {2020-10-23} } Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware
Owlproxy
Yara Rules
[TLP:WHITE] win_owlproxy_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_owlproxy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7414 e8???????? 4c89642428 4c89642430 4c89642438 4883bc242801000010 720d }
            // n = 7, score = 200
            //   7414                 | mov                 dword ptr [ebx], eax
            //   e8????????           |                     
            //   4c89642428           | dec                 eax
            //   4c89642430           | lea                 eax, [0x1fea5]
            //   4c89642438           | dec                 eax
            //   4883bc242801000010     | mov    dword ptr [ebx + 0x18], eax
            //   720d                 | dec                 eax

        $sequence_1 = { 44897c2438 89442460 488b03 4c897c2430 4889442458 488d85b0010000 }
            // n = 6, score = 200
            //   44897c2438           | inc                 ecx
            //   89442460             | mov                 esi, 1
            //   488b03               | mov                 edx, edi
            //   4c897c2430           | dec                 eax
            //   4889442458           | lea                 esi, [0x243b8]
            //   488d85b0010000       | dec                 eax

        $sequence_2 = { 4c8d7108 4d8b3e eb20 4c8d35e7c70100 488b0d???????? bf01000000 }
            // n = 6, score = 200
            //   4c8d7108             | dec                 ecx
            //   4d8b3e               | mov                 ecx, dword ptr [esi + 0x150]
            //   eb20                 | jne                 0x1eb
            //   4c8d35e7c70100       | dec                 eax
            //   488b0d????????       |                     
            //   bf01000000           | mov                 ecx, edx

        $sequence_3 = { e8???????? 90 48837da810 7209 488b4d90 e8???????? 488d4d70 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   90                   | lea                 esp, [esi + 0x10]
            //   48837da810           | dec                 ecx
            //   7209                 | mov                 ebp, dword ptr [esp]
            //   488b4d90             | dec                 ecx
            //   e8????????           |                     
            //   488d4d70             | cmp                 dword ptr [esi + 0x18], 0x10

        $sequence_4 = { 488bf1 48894c2458 4533f6 4489b42480000000 49c783c8feffff07000000 }
            // n = 5, score = 200
            //   488bf1               | mov                 esi, dword ptr [ebx + 0x38]
            //   48894c2458           | dec                 esp
            //   4533f6               | lea                 ebx, [esp + 0x2f0]
            //   4489b42480000000     | dec                 ecx
            //   49c783c8feffff07000000     | mov    ebx, dword ptr [ebx + 0x38]

        $sequence_5 = { 4533c9 4c8d8590000000 488d55e0 488d4de8 ff15???????? 85c0 0f8497050000 }
            // n = 7, score = 200
            //   4533c9               | mov                 esi, dword ptr [ebp - 0x80]
            //   4c8d8590000000       | dec                 ecx
            //   488d55e0             | mov                 dword ptr [esi], esi
            //   488d4de8             | dec                 ecx
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [esi + 8], ebx
            //   0f8497050000         | dec                 ecx

        $sequence_6 = { 48898c2490000000 33db 899c2498000000 48895c2440 48895c2448 48895c2450 48c78424c000000007000000 }
            // n = 7, score = 200
            //   48898c2490000000     | dec                 eax
            //   33db                 | lea                 edx, [esp + 0x20]
            //   899c2498000000       | test                eax, eax
            //   48895c2440           | jne                 0x1bcd
            //   48895c2448           | dec                 eax
            //   48895c2450           | lea                 ecx, [0xe434]
            //   48c78424c000000007000000     | cmp    si, word ptr [ecx]

        $sequence_7 = { 4883ff05 0f95c0 85c0 0f8587000000 4c8d4d00 48837d1808 }
            // n = 6, score = 200
            //   4883ff05             | dec                 esp
            //   0f95c0               | sub                 edi, esi
            //   85c0                 | dec                 eax
            //   0f8587000000         | cmp                 ebx, edi
            //   4c8d4d00             | jne                 0xb02
            //   48837d1808           | dec                 eax

        $sequence_8 = { 56 57 4154 4156 4157 4881ec80020000 49c78318fefffffeffffff }
            // n = 7, score = 200
            //   56                   | cmp                 cl, 0x3d
            //   57                   | je                  0x1d5d
            //   4154                 | dec                 eax
            //   4156                 | movsx               ecx, cl
            //   4157                 | movzx               esi, byte ptr [esp + ecx + 0x50]
            //   4881ec80020000       | jmp                 0x1d63
            //   49c78318fefffffeffffff     | inc    ecx

        $sequence_9 = { 0f294140 0f284a50 0f294950 0f284260 0f294160 488d8980000000 }
            // n = 6, score = 200
            //   0f294140             | lea                 ecx, [esp + 0x40]
            //   0f284a50             | nop                 
            //   0f294950             | dec                 eax
            //   0f284260             | mov                 eax, dword ptr [esp + 0xb8]
            //   0f294160             | dec                 ebp
            //   488d8980000000       | lea                 eax, [eax + eax*2]

    condition:
        7 of them and filesize < 475136
}
Download all Yara Rules