parasite_http (Malware Family)

parasite_http

VTCollection
There is no description at this point.
References

2018-07-25 ⋅ Proofpoint ⋅ Proofpoint Staff
Parasite HTTP RAT cooks up a stew of stealthy tricks
parasite_http
Yara Rules

[TLP:WHITE] win_parasite_http_auto (20260504 | Detects win.parasite_http.)
rule win_parasite_http_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.parasite_http."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7407 b9???????? eb71 e8???????? 85c0 7407 b9???????? }
            // n = 7, score = 100
            //   7407                 | je                  9
            //   b9????????           |                     
            //   eb71                 | jmp                 0x73
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   b9????????           |                     

        $sequence_1 = { 51 51 53 57 51 6880000000 6a02 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   57                   | push                edi
            //   51                   | push                ecx
            //   6880000000           | push                0x80
            //   6a02                 | push                2

        $sequence_2 = { c745e0c2154000 c745e4e2154000 c745e806164000 c745ec2a164000 c745f052164000 c745f472164000 }
            // n = 6, score = 100
            //   c745e0c2154000       | mov                 dword ptr [ebp - 0x20], 0x4015c2
            //   c745e4e2154000       | mov                 dword ptr [ebp - 0x1c], 0x4015e2
            //   c745e806164000       | mov                 dword ptr [ebp - 0x18], 0x401606
            //   c745ec2a164000       | mov                 dword ptr [ebp - 0x14], 0x40162a
            //   c745f052164000       | mov                 dword ptr [ebp - 0x10], 0x401652
            //   c745f472164000       | mov                 dword ptr [ebp - 0xc], 0x401672

        $sequence_3 = { 8d45e8 50 ff75e0 6800100000 8b55f8 33c9 e8???????? }
            // n = 7, score = 100
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   6800100000           | push                0x1000
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     

        $sequence_4 = { 8365ec00 8365fc00 8d45fc 50 ff7510 8b550c }
            // n = 6, score = 100
            //   8365ec00             | and                 dword ptr [ebp - 0x14], 0
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]

        $sequence_5 = { 8b45f8 48 8945f8 ebe4 c745b43c000000 c745bc20000000 c745c800010000 }
            // n = 7, score = 100
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   48                   | dec                 eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   ebe4                 | jmp                 0xffffffe6
            //   c745b43c000000       | mov                 dword ptr [ebp - 0x4c], 0x3c
            //   c745bc20000000       | mov                 dword ptr [ebp - 0x44], 0x20
            //   c745c800010000       | mov                 dword ptr [ebp - 0x38], 0x100

        $sequence_6 = { 6801000040 57 53 ffd0 f7d8 5f 1bc0 }
            // n = 7, score = 100
            //   6801000040           | push                0x40000001
            //   57                   | push                edi
            //   53                   | push                ebx
            //   ffd0                 | call                eax
            //   f7d8                 | neg                 eax
            //   5f                   | pop                 edi
            //   1bc0                 | sbb                 eax, eax

        $sequence_7 = { 8bc1 33d2 f7f6 8bc8 8d4230 668907 8d7ffe }
            // n = 7, score = 100
            //   8bc1                 | mov                 eax, ecx
            //   33d2                 | xor                 edx, edx
            //   f7f6                 | div                 esi
            //   8bc8                 | mov                 ecx, eax
            //   8d4230               | lea                 eax, [edx + 0x30]
            //   668907               | mov                 word ptr [edi], ax
            //   8d7ffe               | lea                 edi, [edi - 2]

        $sequence_8 = { 42 e8???????? 8bf8 e8???????? 3db7000000 750d }
            // n = 6, score = 100
            //   42                   | inc                 edx
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   e8????????           |                     
            //   3db7000000           | cmp                 eax, 0xb7
            //   750d                 | jne                 0xf

        $sequence_9 = { ffd7 53 8d4508 50 8d460a 50 ffd7 }
            // n = 7, score = 100
            //   ffd7                 | call                edi
            //   53                   | push                ebx
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax
            //   8d460a               | lea                 eax, [esi + 0xa]
            //   50                   | push                eax
            //   ffd7                 | call                edi

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules
parasite_http Propose Change

References

Yara Rules

parasite_http
