About
What is this?
A repo containing some of my privately developed Yara rules.
Why?
To contribute to the community.
Can I use these rules?
Of course! That's why I created this repo.
You can use them in your detection systems. For example, CAPE sandbox, MalwareBazaar, UnPac.me and VirusTotal (must be logged in, signup is free) and others are using these rules. Furthermore, the rules can work natively with AssemblyLine due to the CCCS Yara rule standard adoption.
All rules are TLP:White, so you can use and distribute them freely. Please retain the meta.
Help! A generic rule is hitting my software!
If one of the rules in the generic rules section hits on your software: this is not a false positive. It is simply an objective fact that, for example, your software has been compiled or wrapped using AutoIT. It equally does not mean your software is malicious.
The Yara rules presented here do not influence antivirus detection results in any manner. If your software is detected by an antivirus or antimalware company, you need to contact them directly.
Note the meta section also mentions category = "INFO", in which case it is a purely generic or informational rule.
Actions
There's two workflows running on this Github repository:
- YARA-CI: runs automatically to detect signature errors, as well as false positives and false negatives.
- Package Yara rules: allows download of a complete rules file (all Yara rules from this repo in one file) for convenience from the Actions tab > Choose the last workflow run > Artifacts. Scroll down and you will be able to download, but you must be logged in to Github:
Minimum Yara version needed?
v3.3.0 is minimally needed, as some rules may require a specific module. Note that it's recommended to always use the latest Yara version as found here. Yara 4.5.1, likely the last release to be available, works without issue.
Do the rules work with Yara-X?
Yara-X, a rewrite of Yara in Rust, should have no difficulty running the rules in this repo. At time of writing, Yara-X v0.6.0 works fine with the rules presented here.
Feedback?
If you spot an issue or improvement with one of the rules, feel free to submit a PR or open an Issue.
Extra
What is Yara?
From the official Github repo, https://github.com/VirusTotal/yara:
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.
More information: https://yara.readthedocs.io/en/stable/index.html
What is TLP?
The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information.
The rules in this repo are TLP:White (or TLP:Clear).
Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
More information: https://www.us-cert.gov/tlp
Where can I find other open-source Yara rules?
InQuest has made a Github repo which contains a curated list of Yara rules: https://github.com/InQuest/awesome-yara.