{
	"id": "e5b9a889-db0b-4eac-8f54-76d0a8ff0813",
	"created_at": "2026-04-06T00:21:23.418959Z",
	"updated_at": "2026-04-10T13:12:40.658096Z",
	"deleted_at": null,
	"sha1_hash": "67f242fadb69e55a1e3a0854437451b04e0ed7e2",
	"title": "How To Write Yara Rules For Malware - Practical Examples",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1452411,
	"plain_text": "How To Write Yara Rules For Malware - Practical Examples\r\nBy Matthew\r\nPublished: 2023-10-04 · Archived: 2026-04-05 16:09:50 UTC\r\nThe purpose of this article is to highlight some practical examples of indicators that can be used for detection\r\nusing Yara.\r\nThe rules are not intended to be performance-optimized. Purely examples of indicators that can be used\r\nfor detection. Here is a great link if you're interested in performance optimization.\r\nIf you wish to try building or testing Yara rules for yourself, we recommend signing up for a free or boosted\r\n($10USD) account on unpacme (which is what we personally use for testing). Unpacme has an excellent Yara\r\nhunting feature that allows you to test on a large collection of malware and legitimate samples.\r\nLu0Bot SFX Archives\r\nSome recent lu0bot samples are using self-extracting archives (essentially an .exe that unpacks a .zip ). We\r\nfound this sample using an any.run blog and Malware Bazaar.\r\nInside the sfx/zip file are multiple .dat files that are used to create an exe. The final exe is executed using the\r\nrandomly named .bat file.\r\nThis introduces the following string artifacts inside the initial .exe file.\r\nhttps://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/\r\nPage 1 of 9\n\nWhich allows this signature to be created. Utilising the .dat.1 .dat.2 etc as well as the presence of the .bat\r\nfile.\r\nSince the file is an archive, it is mostly zipped and compressed. This results in an overall entropy of 7.98 , so we\r\nadded an additional filter math.entropy(0,filesize) \u003e 7 . This provides more accuracy at the cost of additional\r\ncompute resources.\r\nmath.entropy is dependent on the math module and is compute intensive. So you are free to remove this\r\njf you run into timeout issues.\r\nWe also noticed another sfx artifact of \"Win32 Cabinet Self-Extractor\" . We added this as a string in order to\r\nreduce false positives. This probably wasn't necessary, but something you can add to hone in on specific file types.\r\n(In this case, sfx files)\r\nWe ultimately used this rule to identify more samples. This is not necessarily the most efficient rule but it was able\r\nto find additional samples. The definition of \"efficient\" will depend on your exact situation and compute\r\nresources.\r\nimport \"math\"\r\nrule win_lu0bot_sfx_packer_oct_2023\r\n{\r\nmeta:\r\nauthor = \"Matthew @ Embee_Research\"\r\ncreated = \"2023/10/03\"\r\ndescription = \"\"\r\nsha_256 = \"9c84cd037b061c177ee10c45f1f87b3ea05744f1638ab3f348d6b9a3b1cbcfbf\"\r\nhttps://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/\r\nPage 2 of 9\n\nstrings:\r\n$s1 = \".dat\" ascii\r\n$s2 = \".dat.1\" ascii\r\n$s3 = \".dat.2\" ascii\r\n$s4 = \".dat.3\" ascii\r\n$s5 = \".bat\" ascii\r\n$t1 = \"Win32 Cabinet Self-Extractor\" wide\r\ncondition:\r\nmath.entropy(0,filesize) \u003e 7\r\nand\r\n(all of ($s*))\r\nand\r\n$t1\r\n}\r\nTesting on unpacme returned 21 results. With 0 hits for goodware. All of the returned samples appear to be\r\nLu0Bot.\r\nDarkGate XLL Loader\r\nDarkgate has recently utilised XLL (Excel Add-in) files as part of the infection process. An XLL is essentially a\r\nDLL file that can be executed by Microsoft Excel.\r\nWhen opened, the XLL will automatically execute the xlAutoOpen export. Once this export is called, a blob of\r\nhex bytes is xor decoded to produce a Wscript command containing C2 information and filenames.\r\nThe xlAutoOpen and bytecodes associated with the hex decoding can be used as indicators for a yara rule.\r\nhttps://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/\r\nPage 3 of 9\n\nBy jumping into the xor_decrypt function. We can observe the primary logic used for performing the decoding.\r\nThis is usually easy to tell (for simple decoding functions) because the logic will be inside a loop (green arrow on\r\nleft).\r\nhttps://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/\r\nPage 4 of 9\n\nSince decoding logic is often re-used across similar malware (albeit with different decoding keys), we can use the\r\nlogic itself as an indicator that can be signatured.\r\nTo achieve this, we can click the decoding loop and then browse back to the listing window. From here, we can\r\nhighlight the same instructions that we observed in the previous screenshot.\r\nObserve on the left that we are looking at the same loop.\r\nCopying the instructions into a text editor, gives the following. Noting that the highlighted bytecodes are what can\r\nbe used as a signature.\r\nhttps://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/\r\nPage 5 of 9\n\nIf you're using Notepad++, you can hold alt and select the right column and hit delete. The same can be done\r\nwith the left column.\r\nThis leaves only the bytecodes.\r\nhttps://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/\r\nPage 6 of 9\n\nKeeping only the opcodes and constant values, leaves this\r\nhttps://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/\r\nPage 7 of 9\n\nWhich results in the following yara rule. we also added in xlAutoOpen to narrow the results down only (ideally)\r\nto XLL files.\r\nrule win_darkgate_xllloader_oct_2023\r\n{\r\nmeta:\r\nauthor = \"Matthew @ Embee_Research\"\r\ncreated = \"2023/10/03\"\r\ndescription = \"Detects XLL Files Related to DarkGate\"\r\nstrings:\r\n$s1 = \"xlAutoOpen\" ascii\r\n$s2 = { 49 ?? ?? 4c ?? ?? 48 ?? ?? 48 ?? ?? 02 e8 ?? ?? ?? ?? 48 ?? ?? 31 ?? 48 ?? ?? 01 48 ??\r\ncondition:\r\n$s1 and $s2\r\n}\r\nhttps://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/\r\nPage 8 of 9\n\nUsing unpacme, this resulted in 24 additional samples of the Darkgate XLL loader.\r\nRedline Stealer - Configuration/IL Bytecodes\r\nRedline stealer samples have a relatively consistent pattern associated with the method that stores configuration\r\nsettings. The bytecodes associated with this method can be used to create a yara rule that matches on similar\r\nsamples.\r\nSource: https://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/\r\nhttps://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/\r\nPage 9 of 9\n\n  https://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/     \nBy jumping into the xor_decrypt function. We can observe the primary logic used for performing the decoding.\nThis is usually easy to tell (for simple decoding functions) because the logic will be inside a loop (green arrow on\nleft).       \n   Page 4 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/"
	],
	"report_names": [
		"practical-signatures-for-identifying-malware-with-yara"
	],
	"threat_actors": [],
	"ts_created_at": 1775434883,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67f242fadb69e55a1e3a0854437451b04e0ed7e2.pdf",
		"text": "https://archive.orkl.eu/67f242fadb69e55a1e3a0854437451b04e0ed7e2.txt",
		"img": "https://archive.orkl.eu/67f242fadb69e55a1e3a0854437451b04e0ed7e2.jpg"
	}
}