Malware Analysis – Creating YARA Rules

YARA Rules

YARA rules are used to identify samples based on specific strings or binary data.

 

Structure of a YARA rule

 

rule <rule_name>

{

meta:

description = “Sample YARA rule”

 

strings:

$a = “example”

$b = “example2”

 

condition:

($a or $b)

}

Our completed YARA rule looks like this:

rule creds_ru
{
meta:
description = “Simple YARA rule to detect Russian credential harvester”
strings:
$a = “http://reptertinrom.ru/zapoy/gate.php”
$b = “http://reninparwil.com/zapoy/gate.php”
$c = “http://leftthenhispar.ru/zapoy/gate.php”
$mz = {4D 5A}

condition:
($a or $b or $c or $mz)
}

Liked it? Take a second to support Alexis on Patreon!
Share this post
newest oldest most voted
Notify of
Your pal eric
Guest
Your pal eric

Hello, your rule will detect any executable as well as any file with “MZ” anywhere in it

You probably want something more like $mz at 0 and ($a or $b or $c)