Octowave Loader (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.octowave (Back to overview)

Octowave Loader

VTCollection

Octowave Loader is a malware loader used to run other families of malware. This is often made up of an MSI or Inno Setup installer for a legitimate piece of software that has been trojanised to include a number of malicious DLLs which inevitably load and run malicious code often stored within a WAV file that is also delivered to an endpoint. In the wild this has been seen delivered through fake software installers and ClickFix / Fake Captcha campaigns. Families of malware deployed often include information stealers, NetSupport RAT, and potentially bots like Danabot.

References

2024-08-08 ⋅ Huntress Labs ⋅ Jai Minton
X
Octowave Loader

Yara Rules

[TLP:WHITE] win_octowave_auto (20260504 | Detects win.octowave.)

rule win_octowave_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.octowave."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.octowave"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f786c46d000000020000 7426 8d4bff 8bc5 0faf8ed46c0000 2bc1 83f80a }
            // n = 7, score = 100
            //   f786c46d000000020000     | test    dword ptr [esi + 0x6dc4], 0x200
            //   7426                 | je                  0x28
            //   8d4bff               | lea                 ecx, [ebx - 1]
            //   8bc5                 | mov                 eax, ebp
            //   0faf8ed46c0000       | imul                ecx, dword ptr [esi + 0x6cd4]
            //   2bc1                 | sub                 eax, ecx
            //   83f80a               | cmp                 eax, 0xa

        $sequence_1 = { ff7704 68???????? 56 e8???????? ff7708 68???????? 56 }
            // n = 7, score = 100
            //   ff7704               | push                dword ptr [edi + 4]
            //   68????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   ff7708               | push                dword ptr [edi + 8]
            //   68????????           |                     
            //   56                   | push                esi

        $sequence_2 = { f30f70c0d8 660f70c0d8 0f5405???????? 660f67c0 660f7e0413 660f6ec0 8d4104 }
            // n = 7, score = 100
            //   f30f70c0d8           | pshufhw             xmm0, xmm0, 0xd8
            //   660f70c0d8           | pshufd              xmm0, xmm0, 0xd8
            //   0f5405????????       |                     
            //   660f67c0             | packuswb            xmm0, xmm0
            //   660f7e0413           | movd                dword ptr [ebx + edx], xmm0
            //   660f6ec0             | movd                xmm0, eax
            //   8d4104               | lea                 eax, [ecx + 4]

        $sequence_3 = { ffd0 8b4710 83c418 8b4c241c 0fafc3 894f1c 5d }
            // n = 7, score = 100
            //   ffd0                 | call                eax
            //   8b4710               | mov                 eax, dword ptr [edi + 0x10]
            //   83c418               | add                 esp, 0x18
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   0fafc3               | imul                eax, ebx
            //   894f1c               | mov                 dword ptr [edi + 0x1c], ecx
            //   5d                   | pop                 ebp

        $sequence_4 = { ff5038 8b4d14 8bf0 8b01 ff5038 8bc8 8b450c }
            // n = 7, score = 100
            //   ff5038               | call                dword ptr [eax + 0x38]
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   8bf0                 | mov                 esi, eax
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5038               | call                dword ptr [eax + 0x38]
            //   8bc8                 | mov                 ecx, eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_5 = { f30f5dd0 0f28c2 f30f5fc1 f30f110410 8b44242c f30f5c1410 0f2f15???????? }
            // n = 7, score = 100
            //   f30f5dd0             | minss               xmm2, xmm0
            //   0f28c2               | movaps              xmm0, xmm2
            //   f30f5fc1             | maxss               xmm0, xmm1
            //   f30f110410           | movss               dword ptr [eax + edx], xmm0
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]
            //   f30f5c1410           | subss               xmm2, dword ptr [eax + edx]
            //   0f2f15????????       |                     

        $sequence_6 = { ff742470 ff742440 6a02 ff74245c ff74246c e8???????? 8bce }
            // n = 7, score = 100
            //   ff742470             | push                dword ptr [esp + 0x70]
            //   ff742440             | push                dword ptr [esp + 0x40]
            //   6a02                 | push                2
            //   ff74245c             | push                dword ptr [esp + 0x5c]
            //   ff74246c             | push                dword ptr [esp + 0x6c]
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi

        $sequence_7 = { f30f59c3 f30f1100 03c1 836dec01 75a7 8b750c 8b5d10 }
            // n = 7, score = 100
            //   f30f59c3             | mulss               xmm0, xmm3
            //   f30f1100             | movss               dword ptr [eax], xmm0
            //   03c1                 | add                 eax, ecx
            //   836dec01             | sub                 dword ptr [ebp - 0x14], 1
            //   75a7                 | jne                 0xffffffa9
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8b5d10               | mov                 ebx, dword ptr [ebp + 0x10]

        $sequence_8 = { f30f5cc8 f30f10423c f30f59463c 83c640 f30f58d1 f30f5cd0 0f5ac2 }
            // n = 7, score = 100
            //   f30f5cc8             | subss               xmm1, xmm0
            //   f30f10423c           | movss               xmm0, dword ptr [edx + 0x3c]
            //   f30f59463c           | mulss               xmm0, dword ptr [esi + 0x3c]
            //   83c640               | add                 esi, 0x40
            //   f30f58d1             | addss               xmm2, xmm1
            //   f30f5cd0             | subss               xmm2, xmm0
            //   0f5ac2               | cvtps2pd            xmm0, xmm2

        $sequence_9 = { ff10 8d4c2408 e8???????? 8b442408 80780d00 74e0 8d4e04 }
            // n = 7, score = 100
            //   ff10                 | call                dword ptr [eax]
            //   8d4c2408             | lea                 ecx, [esp + 8]
            //   e8????????           |                     
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   80780d00             | cmp                 byte ptr [eax + 0xd], 0
            //   74e0                 | je                  0xffffffe2
            //   8d4e04               | lea                 ecx, [esi + 4]

    condition:
        7 of them and filesize < 7258112
}

[TLP:WHITE] win_octowave_w0 (20250411 | Detects resources embedded within Octowave Loader MSI installers)

rule win_octowave_w0 {

    meta:
        author = "Jai Minton (@CyberRaiju) - HuntressLabs"
        date = "2025-03-28"
        version = "1"
        description = "Detects resources embedded within Octowave Loader MSI installers"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        yt_reference = "https://www.youtube.com/watch?v=NiNIbkiuExU"
        reference = "https://x.com/CyberRaiju/status/1893450184224362946?t=u0X6ST2Qgnrf-ujjphGOSg&s=19"
        hash1 = "05b025b8475c0acbc9a5d2cd13c15088a2fb452aa514d0636f145e1c4c93e6ee" 
        hash2 = "500462c4fb6e4d0545f04d63ef981d9611b578948e5cfd61d840ff8e2f206587" 
        hash3 = "5ee9e74605b0c26b39b111a89139d95423e54f7a54decf60c7552f45b8b60407" 
        hash4 = "76efc8c64654d8f2318cc513c0aaf0da612423b1715e867b4622712ba0b3926f" 
        hash5 = "c3e2af892b813f3dcba4d0970489652d6f195b7985dc98f08eaddca7727786f0" 
        hash6 = "d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6" 
        hash7 = "e93969a57ef2a7aee13a159cbf2015e2c8219d9153078e257b743d5cd90f05cb" 
        hash8 = "45984ae78d18332ecb33fe3371e5eb556c0db86f1d3ba8a835b72cd61a7eeecf" 
        id = "56685a0a-523d-4060-a008-aa28542cb85c" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.octowave"
        malpedia_rule_date = "20250411"
        malpedia_hash = ""
        malpedia_version = "20250411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings: 

        $string1 = "LaunchConditionsValidateProductIDProcessComponentsUnpublishFeaturesRemoveFilesRegisterUserRegisterProductInstalled OR PhysicalMemory >= 2048" ascii 
        $string2 = ".cab" ascii $string3 = ".wav" ascii 
        $string4 = ".dll" ascii $supporting1 = ".raw" ascii 
        $supporting2 = ".db" ascii 
        $supporting3 = ".pak" ascii 
        $supporting4 = ".bin" ascii 
        $supporting5 = ".bak" ascii 
        $supporting6 = ".dat" ascii 

    condition:
        (uint32(0) == 0xe011cfd0) and filesize < 200000KB and all of ($string*) and 1 of ($supporting*)
}

[TLP:WHITE] win_octowave_w1 (20250411 | Detects supporting file used by Octowave Loader containing hardcoded values)

rule win_octowave_w1 {

    meta:
        author = "Jai Minton (@CyberRaiju) - HuntressLabs"
        date = "2025-03-28"
        version = "1"
        description = "Detects supporting file used by Octowave Loader containing hardcoded values"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        yt_reference = "https://www.youtube.com/watch?v=NiNIbkiuExU"
        reference = "https://x.com/CyberRaiju/status/1893450184224362946?t=u0X6ST2Qgnrf-ujjphGOSg&s=19"
        hash1 = "C4CBAA7E4521FA0ED9CC634C5E2BACBF41F46842CA4526B7904D98843A7E9DB9" 
        hash2 = "F5CFB2E634539D5DC7FFE202FFDC422EF7457100401BA1FBC21DD05558719865" 
        hash3 = "56F1967F7177C166386D864807CDF03D5BBD3F118A285CE67EA226D02E5CF58C" 
        hash4 = "11EE5AD8A81AE85E5B7DDF93ADF6EDD20DE8460C755BF0426DFCBC7F658D7E85" 
        hash5 = "D218B65493E4D9D85CBC2F7B608F4F7E501708014BC04AF27D33D995AA54A703" 
        hash6 = "0C112F9DFE27211B357C74F358D9C144EA10CC0D92D6420B8742B72A65562C5A" 
        id = "56685a0a-523d-4060-a008-aa28542cb85c" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.octowave"
        malpedia_rule_date = "20250411"
        malpedia_hash = ""
        malpedia_version = "20250411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings: 

        $unique_key = {1D 1C 1F 1E 01 01 03 02 05 04 07 06 09 D4 0E 0A 0D 0C 0F 0E 31 30 31 32 35 34 36 36 39 38 DC 3F 3D 3C 3E} // 1012546698 unknown unique identifier and surrounding bytes 
        $unique_string = "MLONqpsrutwvyx" 
        $unique_string2 = "A@CBEDGFIHKJMLONqpsrutwvyx" 

    condition:
        (uint16(0) != 0x5a4d) and filesize < 10000KB and all of them
}

Download all Yara Rules

Octowave Loader Propose Change

References

Yara Rules

Octowave Loader