Introduction to YARA

YARA is a tool used to identify and classify malware based on textual or binary patterns. In this tutorial, we’ll cover the basics of YARA and how to write simple rules to detect patterns in files.

What Is YARA?

YARA (Yet Another Recursive Acronym) is a rule-based pattern matching engine developed by VirusTotal, widely used for:

Detecting malware families
Scanning files for custom signatures
Automating threat detection in incident response

Installation

Linux:

sudo apt update
sudo apt install yara

macOS:

brew install yara

Windows:

Download it from here.

YARA rule example

rule examplerule
{
    strings:
        $a = "malicious_string"
        $b = { E2 34 A1 C4 23 } 
    condition:
        $a or $b
}

Running the rule:

yara examplerule.yar somefile

All Yara rules end with ‘.yar’. If the pattern is not found, you will see an error. Otherwise, it will show:

examplerule somefile

Using YARA with Loki

Loki is a IOC and YARA scanner created by Florian Roth. It scans for IOCs, malware, backdoors, and suspicious artifacts using YARA rules, hash lookups, and string matching.

Install Loki

git clone https://github.com/Neo23x0/Loki.git
cd Loki

On Windows, download the ZIP version and extract it.

Add YARA Rules

Place your .yar files into:

./signature-base/yara/

python loki.py -p /path

[INFO] ==> Scanning file: path/maliciousfile.exe
[ALERT] YARA rule match: examplerule in maliciousfile.exe

Commands:

–intense – deeper scan

–noprocscan – skip process memory scanning

–debug – shows extra debug output

yarGen to generate YARA rules

yarGen helps automate the process of creating YARA rules by extracting good strings and avoiding noise.

Install yarGen

git clone https://github.com/Neo23x0/yarGen.git
cd yarGen
pip install -r requirements.txt
python yarGen.py --update

Usage

python yarGen.py -m /path -o my_rule.yar

Malware Detection: YARA

2025/06/14 ・ malware