Malware Analysis – Creating YARA Rules

Video Link

YARA Rules

YARA rules are used to identify samples based on specific strings or binary data.

Structure of a YARA rule

rule <rule_name>

{

meta:

description = “Sample YARA rule”

strings:

$a = “example”

$b = “example2”

condition:

($a or $b)

}

Our completed YARA rule looks like this:

rule creds_ru
{
meta:
description = “Simple YARA rule to detect Russian credential harvester”
strings:
$a = “http://reptertinrom.ru/zapoy/gate.php”
$b = “http://reninparwil.com/zapoy/gate.php”
$c = “http://leftthenhispar.ru/zapoy/gate.php”
$mz = {4D 5A}

condition:
($a or $b or $c or $mz)
}