Octowave Loader (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.octowave (Back to overview)

Octowave Loader

VTCollection

Octowave Loader is a malware loader used to run other families of malware. This is often made up of an MSI or Inno Setup installer for a legitimate piece of software that has been trojanised to include a number of malicious DLLs which inevitably load and run malicious code often stored within a WAV file that is also delivered to an endpoint. In the wild this has been seen delivered through fake software installers and ClickFix / Fake Captcha campaigns. Families of malware deployed often include information stealers, NetSupport RAT, and potentially bots like Danabot.

References

2024-08-08 ⋅ Huntress Labs ⋅ Jai Minton
X
Octowave Loader

Yara Rules

[TLP:WHITE] win_octowave_auto (20251219 | Detects win.octowave.)

rule win_octowave_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.octowave."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.octowave"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { fecb 889c24c0000000 8b9c244c010000 85db 7529 8d9c242c010000 8d7b01 }
            // n = 7, score = 100
            //   fecb                 | dec                 bl
            //   889c24c0000000       | mov                 byte ptr [esp + 0xc0], bl
            //   8b9c244c010000       | mov                 ebx, dword ptr [esp + 0x14c]
            //   85db                 | test                ebx, ebx
            //   7529                 | jne                 0x2b
            //   8d9c242c010000       | lea                 ebx, [esp + 0x12c]
            //   8d7b01               | lea                 edi, [ebx + 1]

        $sequence_1 = { ff86201b0000 8b86201b0000 c684302013000000 83ef01 75d3 8b5c2414 85d2 }
            // n = 7, score = 100
            //   ff86201b0000         | inc                 dword ptr [esi + 0x1b20]
            //   8b86201b0000         | mov                 eax, dword ptr [esi + 0x1b20]
            //   c684302013000000     | mov                 byte ptr [eax + esi + 0x1320], 0
            //   83ef01               | sub                 edi, 1
            //   75d3                 | jne                 0xffffffd5
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   85d2                 | test                edx, edx

        $sequence_2 = { ff742450 56 e8???????? 83c408 85c0 0f850a040000 83cb10 }
            // n = 7, score = 100
            //   ff742450             | push                dword ptr [esp + 0x50]
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   0f850a040000         | jne                 0x410
            //   83cb10               | or                  ebx, 0x10

        $sequence_3 = { 8d4f02 51 56 e8???????? 83c408 5f 8bc6 }
            // n = 7, score = 100
            //   8d4f02               | lea                 ecx, [edi + 2]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   5f                   | pop                 edi
            //   8bc6                 | mov                 eax, esi

        $sequence_4 = { ff742418 2bf5 ff742424 8b04b568022110 ffd0 8b7c241c 83c40c }
            // n = 7, score = 100
            //   ff742418             | push                dword ptr [esp + 0x18]
            //   2bf5                 | sub                 esi, ebp
            //   ff742424             | push                dword ptr [esp + 0x24]
            //   8b04b568022110       | mov                 eax, dword ptr [esi*4 + 0x10210268]
            //   ffd0                 | call                eax
            //   8b7c241c             | mov                 edi, dword ptr [esp + 0x1c]
            //   83c40c               | add                 esp, 0xc

        $sequence_5 = { ff7500 50 e8???????? 83c408 837db800 750a f30f1015???????? }
            // n = 7, score = 100
            //   ff7500               | push                dword ptr [ebp]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   837db800             | cmp                 dword ptr [ebp - 0x48], 0
            //   750a                 | jne                 0xc
            //   f30f1015????????     |                     

        $sequence_6 = { f30f5cc8 f30f1041e8 f30f594714 f30f5cc8 f30f1041e4 f30f594718 f30f5cc8 }
            // n = 7, score = 100
            //   f30f5cc8             | subss               xmm1, xmm0
            //   f30f1041e8           | movss               xmm0, dword ptr [ecx - 0x18]
            //   f30f594714           | mulss               xmm0, dword ptr [edi + 0x14]
            //   f30f5cc8             | subss               xmm1, xmm0
            //   f30f1041e4           | movss               xmm0, dword ptr [ecx - 0x1c]
            //   f30f594718           | mulss               xmm0, dword ptr [edi + 0x18]
            //   f30f5cc8             | subss               xmm1, xmm0

        $sequence_7 = { f76b14 03f8 8b4560 13ca f76b18 03f8 8b455c }
            // n = 7, score = 100
            //   f76b14               | imul                dword ptr [ebx + 0x14]
            //   03f8                 | add                 edi, eax
            //   8b4560               | mov                 eax, dword ptr [ebp + 0x60]
            //   13ca                 | adc                 ecx, edx
            //   f76b18               | imul                dword ptr [ebx + 0x18]
            //   03f8                 | add                 edi, eax
            //   8b455c               | mov                 eax, dword ptr [ebp + 0x5c]

        $sequence_8 = { ff5004 48 8bcf 50 ff560c 8b17 8bcf }
            // n = 7, score = 100
            //   ff5004               | call                dword ptr [eax + 4]
            //   48                   | dec                 eax
            //   8bcf                 | mov                 ecx, edi
            //   50                   | push                eax
            //   ff560c               | call                dword ptr [esi + 0xc]
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   8bcf                 | mov                 ecx, edi

        $sequence_9 = { ff74241c 8b4608 8b4e04 48 f20f1044242c 23c2 6a00 }
            // n = 7, score = 100
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   48                   | dec                 eax
            //   f20f1044242c         | movsd               xmm0, qword ptr [esp + 0x2c]
            //   23c2                 | and                 eax, edx
            //   6a00                 | push                0

    condition:
        7 of them and filesize < 7258112
}

[TLP:WHITE] win_octowave_w0 (20250411 | Detects resources embedded within Octowave Loader MSI installers)

rule win_octowave_w0 {

    meta:
        author = "Jai Minton (@CyberRaiju) - HuntressLabs"
        date = "2025-03-28"
        version = "1"
        description = "Detects resources embedded within Octowave Loader MSI installers"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        yt_reference = "https://www.youtube.com/watch?v=NiNIbkiuExU"
        reference = "https://x.com/CyberRaiju/status/1893450184224362946?t=u0X6ST2Qgnrf-ujjphGOSg&s=19"
        hash1 = "05b025b8475c0acbc9a5d2cd13c15088a2fb452aa514d0636f145e1c4c93e6ee" 
        hash2 = "500462c4fb6e4d0545f04d63ef981d9611b578948e5cfd61d840ff8e2f206587" 
        hash3 = "5ee9e74605b0c26b39b111a89139d95423e54f7a54decf60c7552f45b8b60407" 
        hash4 = "76efc8c64654d8f2318cc513c0aaf0da612423b1715e867b4622712ba0b3926f" 
        hash5 = "c3e2af892b813f3dcba4d0970489652d6f195b7985dc98f08eaddca7727786f0" 
        hash6 = "d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6" 
        hash7 = "e93969a57ef2a7aee13a159cbf2015e2c8219d9153078e257b743d5cd90f05cb" 
        hash8 = "45984ae78d18332ecb33fe3371e5eb556c0db86f1d3ba8a835b72cd61a7eeecf" 
        id = "56685a0a-523d-4060-a008-aa28542cb85c" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.octowave"
        malpedia_rule_date = "20250411"
        malpedia_hash = ""
        malpedia_version = "20250411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings: 

        $string1 = "LaunchConditionsValidateProductIDProcessComponentsUnpublishFeaturesRemoveFilesRegisterUserRegisterProductInstalled OR PhysicalMemory >= 2048" ascii 
        $string2 = ".cab" ascii $string3 = ".wav" ascii 
        $string4 = ".dll" ascii $supporting1 = ".raw" ascii 
        $supporting2 = ".db" ascii 
        $supporting3 = ".pak" ascii 
        $supporting4 = ".bin" ascii 
        $supporting5 = ".bak" ascii 
        $supporting6 = ".dat" ascii 

    condition:
        (uint32(0) == 0xe011cfd0) and filesize < 200000KB and all of ($string*) and 1 of ($supporting*)
}

[TLP:WHITE] win_octowave_w1 (20250411 | Detects supporting file used by Octowave Loader containing hardcoded values)

rule win_octowave_w1 {

    meta:
        author = "Jai Minton (@CyberRaiju) - HuntressLabs"
        date = "2025-03-28"
        version = "1"
        description = "Detects supporting file used by Octowave Loader containing hardcoded values"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        yt_reference = "https://www.youtube.com/watch?v=NiNIbkiuExU"
        reference = "https://x.com/CyberRaiju/status/1893450184224362946?t=u0X6ST2Qgnrf-ujjphGOSg&s=19"
        hash1 = "C4CBAA7E4521FA0ED9CC634C5E2BACBF41F46842CA4526B7904D98843A7E9DB9" 
        hash2 = "F5CFB2E634539D5DC7FFE202FFDC422EF7457100401BA1FBC21DD05558719865" 
        hash3 = "56F1967F7177C166386D864807CDF03D5BBD3F118A285CE67EA226D02E5CF58C" 
        hash4 = "11EE5AD8A81AE85E5B7DDF93ADF6EDD20DE8460C755BF0426DFCBC7F658D7E85" 
        hash5 = "D218B65493E4D9D85CBC2F7B608F4F7E501708014BC04AF27D33D995AA54A703" 
        hash6 = "0C112F9DFE27211B357C74F358D9C144EA10CC0D92D6420B8742B72A65562C5A" 
        id = "56685a0a-523d-4060-a008-aa28542cb85c" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.octowave"
        malpedia_rule_date = "20250411"
        malpedia_hash = ""
        malpedia_version = "20250411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings: 

        $unique_key = {1D 1C 1F 1E 01 01 03 02 05 04 07 06 09 D4 0E 0A 0D 0C 0F 0E 31 30 31 32 35 34 36 36 39 38 DC 3F 3D 3C 3E} // 1012546698 unknown unique identifier and surrounding bytes 
        $unique_string = "MLONqpsrutwvyx" 
        $unique_string2 = "A@CBEDGFIHKJMLONqpsrutwvyx" 

    condition:
        (uint16(0) != 0x5a4d) and filesize < 10000KB and all of them
}

Download all Yara Rules

Octowave Loader Propose Change

References

Yara Rules

Octowave Loader