SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stowaway (Back to overview)

STOWAWAY


According to Mandiant, STOWAWAY is a publicly available backdoor and proxy. The project supports several types of communication like SSH, socks5. Backdoor component supports upload and download of files, remote shell and basic information gathering.

References
2023-03-28ExaTrackExaTrack
@online{exatrack:20230328:mlofe:6ca8f29, author = {ExaTrack}, title = {{Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts}}, date = {2023-03-28}, organization = {ExaTrack}, url = {https://blog.exatrack.com/melofee/}, language = {English}, urldate = {2023-03-29} } Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts
HelloBot Melofee Winnti Cobalt Strike SparkRAT STOWAWAY
2022-12-15MandiantMandiant
@online{mandiant:20221215:trojanized:07a1d55, author = {Mandiant}, title = {{Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government}}, date = {2022-12-15}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government}, language = {English}, urldate = {2022-12-20} } Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government
Cobalt Strike STOWAWAY
2021-03-18Github (ph4ntonn)ph4ntonn
@online{ph4ntonn:20210318:github:37ed28b, author = {ph4ntonn}, title = {{Github repository for STOWAWAY}}, date = {2021-03-18}, organization = {Github (ph4ntonn)}, url = {https://github.com/ph4ntonn/Stowaway}, language = {English}, urldate = {2022-12-20} } Github repository for STOWAWAY
STOWAWAY
Yara Rules
[TLP:WHITE] win_stowaway_auto (20230715 | Detects win.stowaway.)
rule win_stowaway_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.stowaway."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stowaway"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d879f010000 80207f 8060287f 58 50 }
            // n = 5, score = 300
            //   8d879f010000         | lea                 eax, [edi + 0x19f]
            //   80207f               | and                 byte ptr [eax], 0x7f
            //   8060287f             | and                 byte ptr [eax + 0x28], 0x7f
            //   58                   | pop                 eax
            //   50                   | push                eax

        $sequence_1 = { 8b07 09c0 743c 8b5f04 }
            // n = 4, score = 300
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   09c0                 | or                  eax, eax
            //   743c                 | je                  0x3e
            //   8b5f04               | mov                 ebx, dword ptr [edi + 4]

        $sequence_2 = { 47 08c0 74dc 89f9 57 48 }
            // n = 6, score = 300
            //   47                   | inc                 edi
            //   08c0                 | or                  al, al
            //   74dc                 | je                  0xffffffde
            //   89f9                 | mov                 ecx, edi
            //   57                   | push                edi
            //   48                   | dec                 eax

        $sequence_3 = { 53 57 ffd5 8d879f010000 }
            // n = 4, score = 300
            //   53                   | push                ebx
            //   57                   | push                edi
            //   ffd5                 | call                ebp
            //   8d879f010000         | lea                 eax, [edi + 0x19f]

        $sequence_4 = { 57 48 f2ae 55 }
            // n = 4, score = 300
            //   57                   | push                edi
            //   48                   | dec                 eax
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   55                   | push                ebp

        $sequence_5 = { 09c0 7407 8903 83c304 }
            // n = 4, score = 300
            //   09c0                 | or                  eax, eax
            //   7407                 | je                  9
            //   8903                 | mov                 dword ptr [ebx], eax
            //   83c304               | add                 ebx, 4

        $sequence_6 = { 7ae8 ce f67be8 7ce8 }
            // n = 4, score = 200
            //   7ae8                 | jp                  0xffffffea
            //   ce                   | into                
            //   f67be8               | idiv                byte ptr [ebx - 0x18]
            //   7ce8                 | jl                  0xffffffea

        $sequence_7 = { a3???????? 4e fb b501 2a37 }
            // n = 5, score = 200
            //   a3????????           |                     
            //   4e                   | dec                 esi
            //   fb                   | sti                 
            //   b501                 | mov                 ch, 1
            //   2a37                 | sub                 dh, byte ptr [edi]

        $sequence_8 = { 76e8 77e8 78e8 79e8 7ae8 }
            // n = 5, score = 200
            //   76e8                 | jbe                 0xffffffea
            //   77e8                 | ja                  0xffffffea
            //   78e8                 | js                  0xffffffea
            //   79e8                 | jns                 0xffffffea
            //   7ae8                 | jp                  0xffffffea

    condition:
        7 of them and filesize < 8003584
}
Download all Yara Rules