SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stowaway (Back to overview)

STOWAWAY

VTCollection    

According to Mandiant, STOWAWAY is a publicly available backdoor and proxy. The project supports several types of communication like SSH, socks5. Backdoor component supports upload and download of files, remote shell and basic information gathering.

References
2023-03-28ExaTrackExaTrack
Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts
HelloBot Melofee Winnti Cobalt Strike SparkRAT STOWAWAY
2022-12-15MandiantMandiant
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government
Cobalt Strike STOWAWAY
2021-03-18Github (ph4ntonn)ph4ntonn
Github repository for STOWAWAY
STOWAWAY
Yara Rules
[TLP:WHITE] win_stowaway_auto (20230808 | Detects win.stowaway.)
rule win_stowaway_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.stowaway."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stowaway"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b07 09c0 743c 8b5f04 }
            // n = 4, score = 300
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   09c0                 | or                  eax, eax
            //   743c                 | je                  0x3e
            //   8b5f04               | mov                 ebx, dword ptr [edi + 4]

        $sequence_1 = { 09c0 7407 8903 83c304 ebe1 }
            // n = 5, score = 300
            //   09c0                 | or                  eax, eax
            //   7407                 | je                  9
            //   8903                 | mov                 dword ptr [ebx], eax
            //   83c304               | add                 ebx, 4
            //   ebe1                 | jmp                 0xffffffe3

        $sequence_2 = { 50 54 6a04 53 57 ffd5 8d879f010000 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   54                   | push                esp
            //   6a04                 | push                4
            //   53                   | push                ebx
            //   57                   | push                edi
            //   ffd5                 | call                ebp
            //   8d879f010000         | lea                 eax, [edi + 0x19f]

        $sequence_3 = { 89f9 57 48 f2ae 55 }
            // n = 5, score = 300
            //   89f9                 | mov                 ecx, edi
            //   57                   | push                edi
            //   48                   | dec                 eax
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   55                   | push                ebp

        $sequence_4 = { 8d879f010000 80207f 8060287f 58 50 }
            // n = 5, score = 300
            //   8d879f010000         | lea                 eax, [edi + 0x19f]
            //   80207f               | and                 byte ptr [eax], 0x7f
            //   8060287f             | and                 byte ptr [eax + 0x28], 0x7f
            //   58                   | pop                 eax
            //   50                   | push                eax

        $sequence_5 = { 95 8a07 47 08c0 74dc 89f9 57 }
            // n = 7, score = 300
            //   95                   | xchg                eax, ebp
            //   8a07                 | mov                 al, byte ptr [edi]
            //   47                   | inc                 edi
            //   08c0                 | or                  al, al
            //   74dc                 | je                  0xffffffde
            //   89f9                 | mov                 ecx, edi
            //   57                   | push                edi

        $sequence_6 = { 76e8 77e8 78e8 79e8 }
            // n = 4, score = 200
            //   76e8                 | jbe                 0xffffffea
            //   77e8                 | ja                  0xffffffea
            //   78e8                 | js                  0xffffffea
            //   79e8                 | jns                 0xffffffea

        $sequence_7 = { 8a7cbe46 a3???????? 4e fb b501 }
            // n = 5, score = 200
            //   8a7cbe46             | mov                 bh, byte ptr [esi + edi*4 + 0x46]
            //   a3????????           |                     
            //   4e                   | dec                 esi
            //   fb                   | sti                 
            //   b501                 | mov                 ch, 1

        $sequence_8 = { 78e8 79e8 7ae8 ce f67be8 7ce8 7de8 }
            // n = 7, score = 200
            //   78e8                 | js                  0xffffffea
            //   79e8                 | jns                 0xffffffea
            //   7ae8                 | jp                  0xffffffea
            //   ce                   | into                
            //   f67be8               | idiv                byte ptr [ebx - 0x18]
            //   7ce8                 | jl                  0xffffffea
            //   7de8                 | jge                 0xffffffea

    condition:
        7 of them and filesize < 8003584
}
Download all Yara Rules