YARA Rules
YARA rules are used to identify samples based on specific strings or binary data.
Structure of a YARA rule
rule <rule_name>
{
meta:
description = “Sample YARA rule”
strings:
$a = “example”
$b = “example2”
condition:
($a or $b)
}
Our completed YARA rule looks like this:
rule creds_ru
{
meta:
description = “Simple YARA rule to detect Russian credential harvester”
strings:
$a = “http://reptertinrom.ru/zapoy/gate.php”
$b = “http://reninparwil.com/zapoy/gate.php”
$c = “http://leftthenhispar.ru/zapoy/gate.php”
$mz = {4D 5A}condition:
($a or $b or $c or $mz)
}