Detecting Malware with YARA Rules: A Practical Guide
Detecting Malware with YARA Rules#
YARA is a pattern matching tool used by malware researchers to identify and classify malicious samples. Often called the "Swiss Army knife for malware researchers," it allows you to write complex detection rules by combining string patterns and binary patterns.
YARA Basics#
Basic Rule Structure#
A YARA rule consists of three main sections:
rule ExampleRule {
meta:
author = "unJaena Team"
description = "Example YARA rule"
date = "2026-04-10"
severity = "high"
strings:
$str1 = "suspicious_string"
$str2 = { 4D 5A 90 00 } // MZ header
$str3 = /https?:\/\/[a-z0-9\-\.]+\.xyz/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
($str1 or $str2) and
#str3 > 2
}
Core Element Explanation#
meta section: Defines metadata about the rule. Does not affect detection, but is essential for management and documentation.
strings section: Defines the patterns to detect:
- Text strings:
"suspicious_string" - Hex byte patterns:
{ 4D 5A 90 00 } - Regular expressions:
/pattern/
condition section: Combines detection conditions with logical operators.
Writing Real-World YARA Rules#
1. RAT (Remote Access Trojan) Detection#
rule Detect_RAT_Indicators {
meta:
description = "Detects common RAT behavior patterns"
severity = "critical"
strings:
$cmd1 = "cmd.exe /c" nocase
$cmd2 = "powershell -enc" nocase
$cmd3 = "whoami" nocase
$net1 = "CONNECT" ascii
$net2 = "POST /gate" ascii
$reg1 = "CurrentVersion\\Run" nocase
$mutex = "Global\\" ascii
condition:
uint16(0) == 0x5A4D and
filesize < 10MB and
(2 of ($cmd*)) and
(1 of ($net*)) and
($reg1 or $mutex)
}
2. Information Stealer Detection#
rule Detect_Stealer_Patterns {
meta:
description = "Detects info stealer behavior"
severity = "high"
strings:
$browser1 = "\\Google\\Chrome\\User Data" nocase
$browser2 = "\\Mozilla\\Firefox\\Profiles" nocase
$browser3 = "\\Microsoft\\Edge\\User Data" nocase
$wallet1 = "wallet.dat" nocase
$wallet2 = "\\Ethereum\\keystore" nocase
$grab1 = "passwords" nocase
$grab2 = "cookies" nocase
$grab3 = "autofill" nocase
$exfil1 = "multipart/form-data" ascii
$exfil2 = "Content-Disposition" ascii
condition:
uint16(0) == 0x5A4D and
(2 of ($browser*)) and
(1 of ($grab*)) and
(1 of ($exfil*))
}
3. Ransomware Behavior Pattern Detection#
rule Detect_Ransomware_Behavior {
meta:
description = "Detects ransomware encryption patterns"
severity = "critical"
strings:
$ext1 = ".locked" ascii
$ext2 = ".crypt" ascii
$ext3 = "DECRYPT" ascii nocase
$ext4 = "RANSOM" ascii nocase
$note1 = "Your files have been" ascii nocase
$note2 = "bitcoin" ascii nocase
$note3 = "payment" ascii nocase
$shadow = "vssadmin delete shadows" nocase
$bcdedit = "bcdedit /set" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 20MB and
(2 of ($ext*)) and
(1 of ($note*)) and
($shadow or $bcdedit)
}
Advanced Techniques#
Wildcards and Jumps#
Use wildcards in binary patterns when specific bytes are variable:
strings:
// Wildcard (?)
$hex1 = { 4D 5A ?? ?? 00 }
// Jump (variable length)
$hex2 = { E8 [4-8] 85 C0 }
// Alternatives (OR)
$hex3 = { (6A 40 | 6A 00) 68 }
Using Modules#
YARA provides structural analysis capabilities for PE files, ELF files, and more through built-in modules:
import "pe"
import "math"
rule Suspicious_PE_Characteristics {
meta:
description = "PE file with suspicious characteristics"
condition:
pe.is_pe and
pe.number_of_sections > 6 and
pe.timestamp < 1000000000 and
math.entropy(0, filesize) > 7.5 and
pe.imports("kernel32.dll", "VirtualAlloc") and
pe.imports("kernel32.dll", "WriteProcessMemory")
}
Performance Optimization#
Key principles for optimizing YARA rule performance:
- Start conditions with fast checks: Perform magic byte checks like
uint16(0) == 0x5A4Dfirst - Limit filesize: Prevent unnecessary scanning of large files
- Minimize string count: Define only necessary patterns
- Avoid regex overuse: Use fixed strings when possible
- Limit wildcard ranges: Use narrow ranges like
[4-8]rather than[0-100]
Combining AI with YARA#
Combining traditional YARA rule-based detection with AI analysis enables more powerful threat detection.
Detection Pipeline#
Collected Files
↓
YARA Scan (160+ rules)
├─ Matched rule information
├─ Severity classification
└─ Matching pattern details
↓
CAPA Analysis (behavior-based)
├─ Malicious capability identification
└─ MITRE ATT&CK mapping
↓
AI Comprehensive Analysis
├─ Context-based risk assessment
├─ False positive filtering
└─ Natural language analysis report
Advantages#
- YARA strengths: Fast pattern matching, low false positive rate, clear detection rationale
- AI strengths: Context understanding, novel threat pattern identification, comprehensive analysis
- Synergy: YARA filters suspicious files, AI performs deep analysis
Community Rule Sets#
You don't need to write all YARA rules yourself. Leverage proven community rule sets:
- YARA-Rules: A comprehensive rule collection maintained by the community
- Signature-Base: High-quality rule set maintained by Florian Roth (Neo23x0)
- Malpedia: YARA rules classified by malware family
- ThreatFox: IOCs based on threat intelligence from abuse.ch
Conclusion#
YARA is both the foundation and a core tool of malware detection. Built on the simple principle of static pattern matching, well-written YARA rules can effectively detect even complex threats.
When combined with AI-based analysis, YARA's fast filtering capability and AI's deep analysis ability create synergy, enabling the construction of more accurate and efficient threat detection systems.
The unJaena platform integrates 160+ YARA rules and CAPA behavioral analysis into its AI pipeline, providing automated malware analysis for uploaded files.
Get the latest forensics insights
We send a monthly newsletter about digital forensics and AI analysis.
Subscribe to Newsletter