rule win_stowaway_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.stowaway." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stowaway" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8a7cbe46 a3???????? 4e fb b501 } // n = 5, score = 200 // 8a7cbe46 | mov bh, byte ptr [esi + edi*4 + 0x46] // a3???????? | // 4e | dec esi // fb | sti // b501 | mov ch, 1 $sequence_1 = { f67be8 7ce8 7de8 7ee8 } // n = 4, score = 200 // f67be8 | idiv byte ptr [ebx - 0x18] // 7ce8 | jl 0xffffffea // 7de8 | jge 0xffffffea // 7ee8 | jle 0xffffffea $sequence_2 = { 78e8 79e8 7ae8 ce } // n = 4, score = 200 // 78e8 | js 0xffffffea // 79e8 | jns 0xffffffea // 7ae8 | jp 0xffffffea // ce | into $sequence_3 = { 76e8 77e8 78e8 79e8 } // n = 4, score = 200 // 76e8 | jbe 0xffffffea // 77e8 | ja 0xffffffea // 78e8 | js 0xffffffea // 79e8 | jns 0xffffffea $sequence_4 = { 7ae8 ce f67be8 7ce8 } // n = 4, score = 200 // 7ae8 | jp 0xffffffea // ce | into // f67be8 | idiv byte ptr [ebx - 0x18] // 7ce8 | jl 0xffffffea $sequence_5 = { e2d9 8dbe00903a00 8b07 09c0 743c 8b5f04 8d843000a03b00 } // n = 7, score = 100 // e2d9 | loop 0xffffffdb // 8dbe00903a00 | lea edi, [esi + 0x3a9000] // 8b07 | mov eax, dword ptr [edi] // 09c0 | or eax, eax // 743c | je 0x3e // 8b5f04 | mov ebx, dword ptr [edi + 4] // 8d843000a03b00 | lea eax, [eax + esi + 0x3ba000] $sequence_6 = { 8bae34a03b00 8dbe00f0ffff bb00100000 50 } // n = 4, score = 100 // 8bae34a03b00 | mov ebp, dword ptr [esi + 0x3ba034] // 8dbe00f0ffff | lea edi, [esi - 0x1000] // bb00100000 | mov ebx, 0x1000 // 50 | push eax $sequence_7 = { 0e d8f4 ef 28f8 386849 } // n = 5, score = 100 // 0e | push cs // d8f4 | fdiv st(4) // ef | out dx, eax // 28f8 | sub al, bh // 386849 | cmp byte ptr [eax + 0x49], ch $sequence_8 = { 5c 72e4 633e 6c e4e4 } // n = 5, score = 100 // 5c | pop esp // 72e4 | jb 0xffffffe6 // 633e | arpl word ptr [esi], di // 6c | insb byte ptr es:[edi], dx // e4e4 | in al, 0xe4 $sequence_9 = { 3e8059805b 805c805d80 5e 8083c65df85f80 60 8061fc63 8064ffdff1 } // n = 7, score = 100 // 3e8059805b | sbb byte ptr ds:[ecx - 0x80], 0x5b // 805c805d80 | sbb byte ptr [eax + eax*4 + 0x5d], 0x80 // 5e | pop esi // 8083c65df85f80 | add byte ptr [ebx + 0x5ff85dc6], 0x80 // 60 | pushal // 8061fc63 | and byte ptr [ecx - 4], 0x63 // 8064ffdff1 | and byte ptr [edi + edi*8 - 0x21], 0xf1 $sequence_10 = { b567 8110932238ba 81f82f2437b0 645b f257 326640 b117 } // n = 7, score = 100 // b567 | mov ch, 0x67 // 8110932238ba | adc dword ptr [eax], 0xba382293 // 81f82f2437b0 | cmp eax, 0xb037242f // 645b | pop ebx // f257 | push edi // 326640 | xor ah, byte ptr [esi + 0x40] // b117 | mov cl, 0x17 $sequence_11 = { 68b890e66c 195039 d0f1 1e } // n = 4, score = 100 // 68b890e66c | push 0x6ce690b8 // 195039 | sbb dword ptr [eax + 0x39], edx // d0f1 | sal cl, 1 // 1e | push ds $sequence_12 = { 9c 5c 4d 79c7 4d e081 025c51c9 } // n = 7, score = 100 // 9c | pushfd // 5c | pop esp // 4d | dec ebp // 79c7 | jns 0xffffffc9 // 4d | dec ebp // e081 | loopne 0xffffff83 // 025c51c9 | add bl, byte ptr [ecx + edx*2 - 0x37] $sequence_13 = { 01a334a1f20b 19e4 1108 4e 10827e53f706 f9 850c2c } // n = 7, score = 100 // 01a334a1f20b | add dword ptr [ebx + 0xbf2a134], esp // 19e4 | sbb esp, esp // 1108 | adc dword ptr [eax], ecx // 4e | dec esi // 10827e53f706 | adc byte ptr [edx + 0x6f7537e], al // f9 | stc // 850c2c | test dword ptr [esp + ebp], ecx $sequence_14 = { f60904 9c 26b696 7a19 } // n = 4, score = 100 // f60904 | test byte ptr [ecx], 4 // 9c | pushfd // 26b696 | mov dh, 0x96 // 7a19 | jp 0x1b $sequence_15 = { 0f11c1 7875 52 43 6b8ad456ed7902 a2???????? 6b89130a83d644 } // n = 7, score = 100 // 0f11c1 | movups xmm1, xmm0 // 7875 | js 0x77 // 52 | push edx // 43 | inc ebx // 6b8ad456ed7902 | imul ecx, dword ptr [edx + 0x79ed56d4], 2 // a2???????? | // 6b89130a83d644 | imul ecx, dword ptr [ecx - 0x297cf5ed], 0x44 $sequence_16 = { 30c2 01420f 9f d8682a 1f d204c6 06 } // n = 7, score = 100 // 30c2 | xor dl, al // 01420f | add dword ptr [edx + 0xf], eax // 9f | lahf // d8682a | fsubr dword ptr [eax + 0x2a] // 1f | pop ds // d204c6 | rol byte ptr [esi + eax*8], cl // 06 | push es $sequence_17 = { 8e4ec2 0c79 72c9 85cd 4f } // n = 5, score = 100 // 8e4ec2 | mov cs, word ptr [esi - 0x3e] // 0c79 | or al, 0x79 // 72c9 | jb 0xffffffcb // 85cd | test ebp, ecx // 4f | dec edi $sequence_18 = { 080a 0c11 1214151617181a 1b1c1f 2126 } // n = 5, score = 100 // 080a | or byte ptr [edx], cl // 0c11 | or al, 0x11 // 1214151617181a | adc dl, byte ptr [edx + 0x1a181716] // 1b1c1f | sbb ebx, dword ptr [edi + ebx] // 2126 | and dword ptr [esi], esp condition: 7 of them and filesize < 8003584 }