STOWAWAY (Malware Family)

STOWAWAY

VTCollection

According to Mandiant, STOWAWAY is a publicly available backdoor and proxy. The project supports several types of communication like SSH, socks5. Backdoor component supports upload and download of files, remote shell and basic information gathering.

References

2026-05-05 ⋅ Cisco Talos ⋅ Asheer Malhotra, Brandon White, Jungsoo An
UAT-8302 and its box full of malware
SNOWLIGHT DracuLoader FINALDRAFT SNAPPYBEE STOWAWAY VShell UAT-8302

2025-09-17 ⋅ Bitdefender ⋅ Bogdan Zavadovschi
EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company
STOWAWAY

2025-05-27 ⋅ Trend Micro ⋅ Joseph C Chen
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
BypassBoss Cobalt Strike JuicyPotato PULSEPACK STOWAWAY VShell Earth Lamia

2023-03-28 ⋅ ExaTrack ⋅ ExaTrack
Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts
HelloBot Melofee Winnti Cobalt Strike SparkRAT STOWAWAY

2022-12-15 ⋅ Mandiant ⋅ Mandiant
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government
Cobalt Strike STOWAWAY

2021-03-18 ⋅ Github (ph4ntonn) ⋅ ph4ntonn
Github repository for STOWAWAY
STOWAWAY

Yara Rules

[TLP:WHITE] win_stowaway_auto (20260504 | Detects win.stowaway.)

rule win_stowaway_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.stowaway."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stowaway"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8a7cbe46 a3???????? 4e fb b501 }
            // n = 5, score = 200
            //   8a7cbe46             | mov                 bh, byte ptr [esi + edi*4 + 0x46]
            //   a3????????           |                     
            //   4e                   | dec                 esi
            //   fb                   | sti                 
            //   b501                 | mov                 ch, 1

        $sequence_1 = { f67be8 7ce8 7de8 7ee8 }
            // n = 4, score = 200
            //   f67be8               | idiv                byte ptr [ebx - 0x18]
            //   7ce8                 | jl                  0xffffffea
            //   7de8                 | jge                 0xffffffea
            //   7ee8                 | jle                 0xffffffea

        $sequence_2 = { 78e8 79e8 7ae8 ce }
            // n = 4, score = 200
            //   78e8                 | js                  0xffffffea
            //   79e8                 | jns                 0xffffffea
            //   7ae8                 | jp                  0xffffffea
            //   ce                   | into                

        $sequence_3 = { 76e8 77e8 78e8 79e8 }
            // n = 4, score = 200
            //   76e8                 | jbe                 0xffffffea
            //   77e8                 | ja                  0xffffffea
            //   78e8                 | js                  0xffffffea
            //   79e8                 | jns                 0xffffffea

        $sequence_4 = { 7ae8 ce f67be8 7ce8 }
            // n = 4, score = 200
            //   7ae8                 | jp                  0xffffffea
            //   ce                   | into                
            //   f67be8               | idiv                byte ptr [ebx - 0x18]
            //   7ce8                 | jl                  0xffffffea

        $sequence_5 = { e2d9 8dbe00903a00 8b07 09c0 743c 8b5f04 8d843000a03b00 }
            // n = 7, score = 100
            //   e2d9                 | loop                0xffffffdb
            //   8dbe00903a00         | lea                 edi, [esi + 0x3a9000]
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   09c0                 | or                  eax, eax
            //   743c                 | je                  0x3e
            //   8b5f04               | mov                 ebx, dword ptr [edi + 4]
            //   8d843000a03b00       | lea                 eax, [eax + esi + 0x3ba000]

        $sequence_6 = { 8bae34a03b00 8dbe00f0ffff bb00100000 50 }
            // n = 4, score = 100
            //   8bae34a03b00         | mov                 ebp, dword ptr [esi + 0x3ba034]
            //   8dbe00f0ffff         | lea                 edi, [esi - 0x1000]
            //   bb00100000           | mov                 ebx, 0x1000
            //   50                   | push                eax

        $sequence_7 = { 0e d8f4 ef 28f8 386849 }
            // n = 5, score = 100
            //   0e                   | push                cs
            //   d8f4                 | fdiv                st(4)
            //   ef                   | out                 dx, eax
            //   28f8                 | sub                 al, bh
            //   386849               | cmp                 byte ptr [eax + 0x49], ch

        $sequence_8 = { 5c 72e4 633e 6c e4e4 }
            // n = 5, score = 100
            //   5c                   | pop                 esp
            //   72e4                 | jb                  0xffffffe6
            //   633e                 | arpl                word ptr [esi], di
            //   6c                   | insb                byte ptr es:[edi], dx
            //   e4e4                 | in                  al, 0xe4

        $sequence_9 = { 3e8059805b 805c805d80 5e 8083c65df85f80 60 8061fc63 8064ffdff1 }
            // n = 7, score = 100
            //   3e8059805b           | sbb                 byte ptr ds:[ecx - 0x80], 0x5b
            //   805c805d80           | sbb                 byte ptr [eax + eax*4 + 0x5d], 0x80
            //   5e                   | pop                 esi
            //   8083c65df85f80       | add                 byte ptr [ebx + 0x5ff85dc6], 0x80
            //   60                   | pushal              
            //   8061fc63             | and                 byte ptr [ecx - 4], 0x63
            //   8064ffdff1           | and                 byte ptr [edi + edi*8 - 0x21], 0xf1

        $sequence_10 = { b567 8110932238ba 81f82f2437b0 645b f257 326640 b117 }
            // n = 7, score = 100
            //   b567                 | mov                 ch, 0x67
            //   8110932238ba         | adc                 dword ptr [eax], 0xba382293
            //   81f82f2437b0         | cmp                 eax, 0xb037242f
            //   645b                 | pop                 ebx
            //   f257                 | push                edi
            //   326640               | xor                 ah, byte ptr [esi + 0x40]
            //   b117                 | mov                 cl, 0x17

        $sequence_11 = { 68b890e66c 195039 d0f1 1e }
            // n = 4, score = 100
            //   68b890e66c           | push                0x6ce690b8
            //   195039               | sbb                 dword ptr [eax + 0x39], edx
            //   d0f1                 | sal                 cl, 1
            //   1e                   | push                ds

        $sequence_12 = { 9c 5c 4d 79c7 4d e081 025c51c9 }
            // n = 7, score = 100
            //   9c                   | pushfd              
            //   5c                   | pop                 esp
            //   4d                   | dec                 ebp
            //   79c7                 | jns                 0xffffffc9
            //   4d                   | dec                 ebp
            //   e081                 | loopne              0xffffff83
            //   025c51c9             | add                 bl, byte ptr [ecx + edx*2 - 0x37]

        $sequence_13 = { 01a334a1f20b 19e4 1108 4e 10827e53f706 f9 850c2c }
            // n = 7, score = 100
            //   01a334a1f20b         | add                 dword ptr [ebx + 0xbf2a134], esp
            //   19e4                 | sbb                 esp, esp
            //   1108                 | adc                 dword ptr [eax], ecx
            //   4e                   | dec                 esi
            //   10827e53f706         | adc                 byte ptr [edx + 0x6f7537e], al
            //   f9                   | stc                 
            //   850c2c               | test                dword ptr [esp + ebp], ecx

        $sequence_14 = { f60904 9c 26b696 7a19 }
            // n = 4, score = 100
            //   f60904               | test                byte ptr [ecx], 4
            //   9c                   | pushfd              
            //   26b696               | mov                 dh, 0x96
            //   7a19                 | jp                  0x1b

        $sequence_15 = { 0f11c1 7875 52 43 6b8ad456ed7902 a2???????? 6b89130a83d644 }
            // n = 7, score = 100
            //   0f11c1               | movups              xmm1, xmm0
            //   7875                 | js                  0x77
            //   52                   | push                edx
            //   43                   | inc                 ebx
            //   6b8ad456ed7902       | imul                ecx, dword ptr [edx + 0x79ed56d4], 2
            //   a2????????           |                     
            //   6b89130a83d644       | imul                ecx, dword ptr [ecx - 0x297cf5ed], 0x44

        $sequence_16 = { 30c2 01420f 9f d8682a 1f d204c6 06 }
            // n = 7, score = 100
            //   30c2                 | xor                 dl, al
            //   01420f               | add                 dword ptr [edx + 0xf], eax
            //   9f                   | lahf                
            //   d8682a               | fsubr               dword ptr [eax + 0x2a]
            //   1f                   | pop                 ds
            //   d204c6               | rol                 byte ptr [esi + eax*8], cl
            //   06                   | push                es

        $sequence_17 = { 8e4ec2 0c79 72c9 85cd 4f }
            // n = 5, score = 100
            //   8e4ec2               | mov                 cs, word ptr [esi - 0x3e]
            //   0c79                 | or                  al, 0x79
            //   72c9                 | jb                  0xffffffcb
            //   85cd                 | test                ebp, ecx
            //   4f                   | dec                 edi

        $sequence_18 = { 080a 0c11 1214151617181a 1b1c1f 2126 }
            // n = 5, score = 100
            //   080a                 | or                  byte ptr [edx], cl
            //   0c11                 | or                  al, 0x11
            //   1214151617181a       | adc                 dl, byte ptr [edx + 0x1a181716]
            //   1b1c1f               | sbb                 ebx, dword ptr [edi + ebx]
            //   2126                 | and                 dword ptr [esi], esp

    condition:
        7 of them and filesize < 8003584
}

Download all Yara Rules

STOWAWAY Propose Change

References

Yara Rules

STOWAWAY