Creating custom YARA rules
Tags
| attack-pattern: | Malware - T1587.001 Malware - T1588.001 Tool - T1588.002 |
Common Information
| Type | Value |
|---|---|
| UUID | d39f0606-3078-48e2-b51c-2bd628926a44 |
| Fingerprint | b4b24bd4767d8b9f |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | April 9, 2018, 11:55 a.m. |
| Added to db | Jan. 18, 2023, 8:40 p.m. |
| Last updated | Nov. 19, 2024, 8:10 a.m. |
| Headline | Creating custom YARA rules |
| Title | Creating custom YARA rules |
| Detected Hints/Tags/Attributes | 22/1/9 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://blog.nviso.be/2018/04/09/creating-custom-yara-rules/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 2 | www.nviso.be |
|
| Details | Domain | 171 | www.sans.org |
|
| Details | sha256 | 4 | 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff |
|
| Details | sha256 | 4 | 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 |
|
| Details | sha256 | 3 | 36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9 |
|
| Details | Url | 2 | https://www.nviso.be |
|
| Details | Url | 1 | https://www.sans.org/course/defeating-advanced-adversaries-kill-chain-defenses |
|
| Details | Yara rule | 1 | import "hash"
rule simple_hash_rule {
condition:
hash.sha256(0, filesize) == "1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff"
} |
|
| Details | Yara rule | 1 | import "hash"
rule ccleaner_compromised_installer {
condition:
filesize == 9791816 and hash.sha256(0, filesize) == "1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff"
} |