Identify a piece of malware with Yara

Yara rules classify and identify malware samples by creating descriptions of malware families (it is a tool used to identify files, based on textual or binary pattern). YARA rules are like a piece of programming language, they work by defining a number of variables that contain patterns found in a sample of malware. If some or all of the conditions are met, depending on the rule, then it can be used to successfully identify a piece of malware.

A rule consists of a set of strings and conditions that determine its logic. Rules can be compiled with “yarac” to increase the speed of multiple Yara scans.

How Do YARA Rules Function? Varonis’ Blog Post

Creating Yara rules to search for artifacts, using the Mandiant IOC collector to save different IOCs with AND/OR conditions, and using Redline to search for the IOCs collected by the Mandiant IOC collector within a disk/memory.

Steps order:

1) Import Module – Yara modules allow you to extend its functionality. The PE module can be used to match specific data from a PE.

2) Rule Name – The rule name identifies your Yara rule. It’s recommended to add a meaningful name.

3) Metadata – Rules can also have a metadata section where you can put additional information about your rule.

4) Strings – The field strings is used to define the strings that should match your rule. It exists 3 type of strings: Text strings, Hexadecimal strings and Regex.

5) Condition – Conditions are Boolean expressions used to match the defined pattern.

Here’s an anatomy of a Yara rule (thanks to @Fr0gger_ for the diagram):

Use Cases:

YARA has proven to be extremely popular within the infosec community, the reason being is there are a number of use cases for implementing YARA:

  • Identify and classify malware,
  • Find new samples based on family-specific patterns,
  • Incident Responders can deploy YARA rules to identify samples and compromised devices,
  • Proactive deployment of custom YARA rules can increase an organization’s defenses.


Building a SOC: Blog Post
List of vendors and software affected by the OpenSSL vulnerability: Blog Post
Critical OpenSSL Vulnerability version 3.0: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post.

Please follow and like us:

Enjoy this blog? Please spread the word :)