STOWAWAY (Malware Family)

STOWAWAY

VTCollection

According to Mandiant, STOWAWAY is a publicly available backdoor and proxy. The project supports several types of communication like SSH, socks5. Backdoor component supports upload and download of files, remote shell and basic information gathering.

References

2025-09-17 ⋅ Bitdefender ⋅ Bogdan Zavadovschi
EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company
STOWAWAY

2025-05-27 ⋅ Trend Micro ⋅ Joseph C Chen
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
BypassBoss Cobalt Strike JuicyPotato PULSEPACK STOWAWAY VShell Earth Lamia

2023-03-28 ⋅ ExaTrack ⋅ ExaTrack
Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts
HelloBot Melofee Winnti Cobalt Strike SparkRAT STOWAWAY

2022-12-15 ⋅ Mandiant ⋅ Mandiant
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government
Cobalt Strike STOWAWAY

2021-03-18 ⋅ Github (ph4ntonn) ⋅ ph4ntonn
Github repository for STOWAWAY
STOWAWAY

Yara Rules

[TLP:WHITE] win_stowaway_auto (20251219 | Detects win.stowaway.)

rule win_stowaway_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.stowaway."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stowaway"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 76e8 77e8 78e8 79e8 }
            // n = 4, score = 200
            //   76e8                 | jbe                 0xffffffea
            //   77e8                 | ja                  0xffffffea
            //   78e8                 | js                  0xffffffea
            //   79e8                 | jns                 0xffffffea

        $sequence_1 = { 78e8 79e8 7ae8 ce f67be8 }
            // n = 5, score = 200
            //   78e8                 | js                  0xffffffea
            //   79e8                 | jns                 0xffffffea
            //   7ae8                 | jp                  0xffffffea
            //   ce                   | into                
            //   f67be8               | idiv                byte ptr [ebx - 0x18]

        $sequence_2 = { ce f67be8 7ce8 7de8 }
            // n = 4, score = 200
            //   ce                   | into                
            //   f67be8               | idiv                byte ptr [ebx - 0x18]
            //   7ce8                 | jl                  0xffffffea
            //   7de8                 | jge                 0xffffffea

        $sequence_3 = { a3???????? 4e fb b501 }
            // n = 4, score = 200
            //   a3????????           |                     
            //   4e                   | dec                 esi
            //   fb                   | sti                 
            //   b501                 | mov                 ch, 1

        $sequence_4 = { 751e 53 2661 6d b040 3d1db5094f }
            // n = 6, score = 100
            //   751e                 | jne                 0x20
            //   53                   | push                ebx
            //   2661                 | popal               
            //   6d                   | insd                dword ptr es:[edi], dx
            //   b040                 | mov                 al, 0x40
            //   3d1db5094f           | cmp                 eax, 0x4f09b51d

        $sequence_5 = { 2a37 e394 5e b5a9 0e 2cc6 ec }
            // n = 7, score = 100
            //   2a37                 | sub                 dh, byte ptr [edi]
            //   e394                 | jecxz               0xffffff96
            //   5e                   | pop                 esi
            //   b5a9                 | mov                 ch, 0xa9
            //   0e                   | push                cs
            //   2cc6                 | sub                 al, 0xc6
            //   ec                   | in                  al, dx

        $sequence_6 = { 5b 6b5e045f aa 43 9a7f6eb1f75c72 7f30 fa }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   6b5e045f             | imul                ebx, dword ptr [esi + 4], 0x5f
            //   aa                   | stosb               byte ptr es:[edi], al
            //   43                   | inc                 ebx
            //   9a7f6eb1f75c72       | lcall               0x725c:0xf7b16e7f
            //   7f30                 | jg                  0x32
            //   fa                   | cli                 

        $sequence_7 = { 50 91 3e06 48 52 2692 4e }
            // n = 7, score = 100
            //   50                   | push                eax
            //   91                   | xchg                eax, ecx
            //   3e06                 | push                es
            //   48                   | dec                 eax
            //   52                   | push                edx
            //   2692                 | xchg                eax, edx
            //   4e                   | dec                 esi

        $sequence_8 = { 1b7f1c b567 8110932238ba 81f82f2437b0 645b f257 326640 }
            // n = 7, score = 100
            //   1b7f1c               | sbb                 edi, dword ptr [edi + 0x1c]
            //   b567                 | mov                 ch, 0x67
            //   8110932238ba         | adc                 dword ptr [eax], 0xba382293
            //   81f82f2437b0         | cmp                 eax, 0xb037242f
            //   645b                 | pop                 ebx
            //   f257                 | push                edi
            //   326640               | xor                 ah, byte ptr [esi + 0x40]

        $sequence_9 = { d4ff 57 ed 7a80 51 80534080 }
            // n = 6, score = 100
            //   d4ff                 | aam                 0xff
            //   57                   | push                edi
            //   ed                   | in                  eax, dx
            //   7a80                 | jp                  0xffffff82
            //   51                   | push                ecx
            //   80534080             | adc                 byte ptr [ebx + 0x40], 0x80

        $sequence_10 = { 99 0039 801002 3900 99 }
            // n = 5, score = 100
            //   99                   | cdq                 
            //   0039                 | add                 byte ptr [ecx], bh
            //   801002               | adc                 byte ptr [eax], 2
            //   3900                 | cmp                 dword ptr [eax], eax
            //   99                   | cdq                 

        $sequence_11 = { e774 5b 004f49 5c }
            // n = 4, score = 100
            //   e774                 | out                 0x74, eax
            //   5b                   | pop                 ebx
            //   004f49               | add                 byte ptr [edi + 0x49], cl
            //   5c                   | pop                 esp

        $sequence_12 = { 8d843000a03b00 01f3 50 83c708 }
            // n = 4, score = 100
            //   8d843000a03b00       | lea                 eax, [eax + esi + 0x3ba000]
            //   01f3                 | add                 ebx, esi
            //   50                   | push                eax
            //   83c708               | add                 edi, 8

        $sequence_13 = { 777c 7781 7782 7783 7786 7787 }
            // n = 6, score = 100
            //   777c                 | ja                  0x7e
            //   7781                 | ja                  0xffffff83
            //   7782                 | ja                  0xffffff84
            //   7783                 | ja                  0xffffff85
            //   7786                 | ja                  0xffffff88
            //   7787                 | ja                  0xffffff89

        $sequence_14 = { 3c77 0c35 f20b18 40 }
            // n = 4, score = 100
            //   3c77                 | cmp                 al, 0x77
            //   0c35                 | or                  al, 0x35
            //   f20b18               | or                  ebx, dword ptr [eax]
            //   40                   | inc                 eax

        $sequence_15 = { f3676d 51 99 9f 4b 8099543c7bbf7a }
            // n = 6, score = 100
            //   f3676d               | rep insd            dword ptr es:[di], dx
            //   51                   | push                ecx
            //   99                   | cdq                 
            //   9f                   | lahf                
            //   4b                   | dec                 ebx
            //   8099543c7bbf7a       | sbb                 byte ptr [ecx - 0x4084c3ac], 0x7a

        $sequence_16 = { a5 ed 91 34cf }
            // n = 4, score = 100
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   ed                   | in                  eax, dx
            //   91                   | xchg                eax, ecx
            //   34cf                 | xor                 al, 0xcf

        $sequence_17 = { 60 41 69e038173794 6c 5c d10f }
            // n = 6, score = 100
            //   60                   | pushal              
            //   41                   | inc                 ecx
            //   69e038173794         | imul                esp, eax, 0x94371738
            //   6c                   | insb                byte ptr es:[edi], dx
            //   5c                   | pop                 esp
            //   d10f                 | ror                 dword ptr [edi], 1

        $sequence_18 = { d7 80cf73 c9 f0f3f9 }
            // n = 4, score = 100
            //   d7                   | xlatb               
            //   80cf73               | or                  bh, 0x73
            //   c9                   | leave               
            //   f0f3f9               | stc                 

        $sequence_19 = { a4 49 07 04bc 3c2f }
            // n = 5, score = 100
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   49                   | dec                 ecx
            //   07                   | pop                 es
            //   04bc                 | add                 al, 0xbc
            //   3c2f                 | cmp                 al, 0x2f

    condition:
        7 of them and filesize < 8003584
}

Download all Yara Rules

STOWAWAY Propose Change

References

Yara Rules

STOWAWAY