SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stowaway (Back to overview)

STOWAWAY


According to Mandiant, STOWAWAY is a publicly available backdoor and proxy. The project supports several types of communication like SSH, socks5. Backdoor component supports upload and download of files, remote shell and basic information gathering.

References
2023-03-28ExaTrackExaTrack
@online{exatrack:20230328:mlofe:6ca8f29, author = {ExaTrack}, title = {{Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts}}, date = {2023-03-28}, organization = {ExaTrack}, url = {https://blog.exatrack.com/melofee/}, language = {English}, urldate = {2023-03-29} } Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts
HelloBot Melofee Winnti Cobalt Strike SparkRAT STOWAWAY
2022-12-15MandiantMandiant
@online{mandiant:20221215:trojanized:07a1d55, author = {Mandiant}, title = {{Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government}}, date = {2022-12-15}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government}, language = {English}, urldate = {2022-12-20} } Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government
Cobalt Strike STOWAWAY
2021-03-18Github (ph4ntonn)ph4ntonn
@online{ph4ntonn:20210318:github:37ed28b, author = {ph4ntonn}, title = {{Github repository for STOWAWAY}}, date = {2021-03-18}, organization = {Github (ph4ntonn)}, url = {https://github.com/ph4ntonn/Stowaway}, language = {English}, urldate = {2022-12-20} } Github repository for STOWAWAY
STOWAWAY
Yara Rules
[TLP:WHITE] win_stowaway_auto (20230125 | Detects win.stowaway.)
rule win_stowaway_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.stowaway."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stowaway"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7ae8 ce f67be8 7ce8 7de8 7ee8 }
            // n = 6, score = 200
            //   7ae8                 | jp                  0xffffffea
            //   ce                   | into                
            //   f67be8               | idiv                byte ptr [ebx - 0x18]
            //   7ce8                 | jl                  0xffffffea
            //   7de8                 | jge                 0xffffffea
            //   7ee8                 | jle                 0xffffffea

        $sequence_1 = { 78e8 79e8 7ae8 ce }
            // n = 4, score = 200
            //   78e8                 | js                  0xffffffea
            //   79e8                 | jns                 0xffffffea
            //   7ae8                 | jp                  0xffffffea
            //   ce                   | into                

        $sequence_2 = { 4e fb b501 2a37 }
            // n = 4, score = 200
            //   4e                   | dec                 esi
            //   fb                   | sti                 
            //   b501                 | mov                 ch, 1
            //   2a37                 | sub                 dh, byte ptr [edi]

        $sequence_3 = { 6c 37 91 8aa732280c0a d4ab 2dfbff8f44 }
            // n = 6, score = 200
            //   6c                   | insb                byte ptr es:[edi], dx
            //   37                   | aaa                 
            //   91                   | xchg                eax, ecx
            //   8aa732280c0a         | mov                 ah, byte ptr [edi + 0xa0c2832]
            //   d4ab                 | aam                 0xab
            //   2dfbff8f44           | sub                 eax, 0x448ffffb

        $sequence_4 = { f9 ffb31599e660 92 677fd9 }
            // n = 4, score = 200
            //   f9                   | stc                 
            //   ffb31599e660         | push                dword ptr [ebx + 0x60e69915]
            //   92                   | xchg                eax, edx
            //   677fd9               | jg                  0xffffffdc

        $sequence_5 = { 6c 51 3f 328f0cc916f9 }
            // n = 4, score = 200
            //   6c                   | insb                byte ptr es:[edi], dx
            //   51                   | push                ecx
            //   3f                   | aas                 
            //   328f0cc916f9         | xor                 cl, byte ptr [edi - 0x6e936f4]

        $sequence_6 = { 8a7cbe46 a3???????? 4e fb }
            // n = 4, score = 200
            //   8a7cbe46             | mov                 bh, byte ptr [esi + edi*4 + 0x46]
            //   a3????????           |                     
            //   4e                   | dec                 esi
            //   fb                   | sti                 

        $sequence_7 = { 11cd 99 4a fb }
            // n = 4, score = 200
            //   11cd                 | adc                 ebp, ecx
            //   99                   | cdq                 
            //   4a                   | dec                 edx
            //   fb                   | sti                 

        $sequence_8 = { 3f 328f0cc916f9 f9 ffb31599e660 }
            // n = 4, score = 200
            //   3f                   | aas                 
            //   328f0cc916f9         | xor                 cl, byte ptr [edi - 0x6e936f4]
            //   f9                   | stc                 
            //   ffb31599e660         | push                dword ptr [ebx + 0x60e69915]

        $sequence_9 = { 76e8 77e8 78e8 79e8 }
            // n = 4, score = 200
            //   76e8                 | jbe                 0xffffffea
            //   77e8                 | ja                  0xffffffea
            //   78e8                 | js                  0xffffffea
            //   79e8                 | jns                 0xffffffea

        $sequence_10 = { c9 6239 bc3a929349 9e }
            // n = 4, score = 100
            //   c9                   | leave               
            //   6239                 | bound               edi, qword ptr [ecx]
            //   bc3a929349           | mov                 esp, 0x4993923a
            //   9e                   | sahf                

        $sequence_11 = { 855c5007 2e20ed 108201178104 6748 010d???????? 0185f9852a18 b082 }
            // n = 7, score = 100
            //   855c5007             | test                dword ptr [eax + edx*2 + 7], ebx
            //   2e20ed               | and                 ch, ch
            //   108201178104         | adc                 byte ptr [edx + 0x4811701], al
            //   6748                 | dec                 eax
            //   010d????????         |                     
            //   0185f9852a18         | add                 dword ptr [ebp + 0x182a85f9], eax
            //   b082                 | mov                 al, 0x82

        $sequence_12 = { e0ff 2e1c43 1c56 186111 040f 1f e452 }
            // n = 7, score = 100
            //   e0ff                 | loopne              1
            //   2e1c43               | sbb                 al, 0x43
            //   1c56                 | sbb                 al, 0x56
            //   186111               | sbb                 byte ptr [ecx + 0x11], ah
            //   040f                 | add                 al, 0xf
            //   1f                   | pop                 ds
            //   e452                 | in                  al, 0x52

        $sequence_13 = { a8e0 ad aa bb0139e080 3a06 08e7 02144c }
            // n = 7, score = 100
            //   a8e0                 | test                al, 0xe0
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   aa                   | stosb               byte ptr es:[edi], al
            //   bb0139e080           | mov                 ebx, 0x80e03901
            //   3a06                 | cmp                 al, byte ptr [esi]
            //   08e7                 | or                  bh, ah
            //   02144c               | add                 dl, byte ptr [esp + ecx*2]

        $sequence_14 = { 06 182424 0e 0a4314 }
            // n = 4, score = 100
            //   06                   | push                es
            //   182424               | sbb                 byte ptr [esp], ah
            //   0e                   | push                cs
            //   0a4314               | or                  al, byte ptr [ebx + 0x14]

    condition:
        7 of them and filesize < 8003584
}
Download all Yara Rules