Thomas Roccia fr0gger

YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

Revision 1.4, October 2020, applies to all YARA versions higher than 3.7

Atoms

YARA extracts from the strings short substrings up to 4 bytes long that are called "atoms". Those atoms can be extracted from any place within the string, and YARA searches for those atoms while scanning the file, if it finds one of the atoms then it verifies that the string actually matches.

	import requests
	import time
	import sys
	import os
	from tqdm import tqdm

	# Specify your API KEY after API-Key
	API_KEY = "API-Key "
	BASE_URL = "https://api.any.run/v1"
	HEADERS = {"Authorization": API_KEY}

	<!DOCTYPE html>
	<html>
	<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<meta http-equiv="X-UA-Compatible" content="ie=edge">
	<title>Markmap</title>
	<style>
	* {
	margin: 0;

	#!/usr/bin/env python3
	'''
	A simplified FLOSS implementation that only supports stackstrings.

	requirements:
	- yara-python
	- unicorn

	author: Willi Ballenthin
	email: [email protected]

	#!/usr/bin/env python
	# -- coding: utf-8 --
	# Author: Thomas Roccia, @fr0gger_
	"""Threat Encyclopedia Lookup, retrieve Defender Signature information.
	This script will retrieve the information related to the specified signature.

	Usage:
	python threatinfo.py [options]

	Requirements:

	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
	https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
	https://twitter.com/juanandres_gs/status/1496581710368358400?s=20&t=ceSYl9EWREXS0ELncl4grA
	https://twitter.com/0xAmit/status/1496641159371837444?s=20&t=BGgh4TA4xPH1SbmShMkULw
	https://twitter.com/JusticeRage/status/1496894253376720901?s=20&t=j42L_Y0O-Q2-oTI3YEcSZw
	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
	https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/a82e9105-2405-4e37-b2c3-28c773902d85
	https://docs.microsoft.com/en-us/windows/win32/devnotes/attribute-list-entry
	https://twitter.com/Lexsek_/status/1496806942630633475?s=20&t=BGgh4TA4xPH1SbmShMkULw
	https://www.cisa.gov/uscert/ncas/alerts/aa22-057a

	'''
	Simple POC for calculating the Export Table Hash by Thomas Roccia \| @fr0gger_
	Similarly as ImpHash, the Export Hash is calculated by extracting the function names from the export table and hashing them.
	Exported function names are extracted in order, then all characters are converted to lowercase.
	The function names are then joined together and hashed using SHA256.
	The hash is dubbed "ExpHash".

	Example:
	python .\exphash.py .\AppXDeploymentClient.dll
	ExpHash: 50644ab76c9421984137aadca2ba9b2883763f0189daf4010a699c490d263a86

	http://abraajenergy.com/
	http://abraajenergy.com/m9lowa3/discord-server-link-checker.html
	http://chpok.site/
	https://rockstorageplace.com/away.php
	yourflash24.com
	phonestar.info
	dougale.com
	gomusic.info
	premiumbros.com
	totalav.com

	#!/usr/bin/env python
	# -- coding: utf-8 --
	# Thomas Roccia \| IconDhash.py
	# pip3 install lief
	# pip3 install pillow
	# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html

	import lief
	import os
	import argparse

	#!/usr/bin/env python
	# -- coding: utf-8 --
	"""
	Rich Hash standalone support for python3 - Thomas Roccia - @fr0gger_
	"""

	import hashlib
	import sys
	import re