YARA

Welcome to YARA's documentation! — yara 4.4.0 documentationyara.readthedocs.io

Basic yara rule:

rule Yara_Example {
    
    meta: 
        last_updated = "2021-10-15"
        author = "PMAT"
        description = "A sample Yara rule for PMAT"

    strings:
        // Fill out identifying strings and other criteria
        $string1 = "YOURTHEMANNOWDOG" ascii
        $str2 = "nim"
        $Magic_byte = "MZ"
        $hex = {FF ?? FF}

    condition:
        // Fill out the conditions that must be met to identify the binary
        $Magic_byte at 0 and
        ($string1 and $str2) or

        $hex
}


yara64 .\yara_template.yara  .\Malware.yara1.exe.malz -w -p 32
Yara_Example .\Malware.yara1.exe.malz //output line

if rule matches it shows binary name if it doesn't then shown no output

-p is no of threads, -w is suppress warning

yara64 .\yara_template.yara  .\Malware.yara1.exe.malz -w -p 32 -s

THe -s flag will highlight which string matched for your rule and location of that string in fiile.

-r flag do recusrive scan on a directory

PreviousAutomated Analysis NextBlue Team

Last updated 8 months ago