{"id":13705548,"url":"https://github.com/bartblaze/Yara-rules","last_synced_at":"2025-05-05T16:33:08.279Z","repository":{"id":42122789,"uuid":"250363106","full_name":"bartblaze/Yara-rules","owner":"bartblaze","description":"Collection of private Yara rules.","archived":false,"fork":false,"pushed_at":"2024-08-14T11:29:11.000Z","size":225,"stargazers_count":314,"open_issues_count":0,"forks_count":52,"subscribers_count":22,"default_branch":"master","last_synced_at":"2024-08-14T17:31:43.748Z","etag":null,"topics":["malware-detection","ransomware-detection","threat-hunting","threat-intelligence","yara","yara-rules","yara-signatures"],"latest_commit_sha":null,"homepage":"","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bartblaze.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-26T20:20:29.000Z","updated_at":"2024-08-14T11:29:14.000Z","dependencies_parsed_at":"2023-12-28T13:28:40.819Z","dependency_job_id":"fc8b5637-678d-4af3-b865-72642a1cb63f","html_url":"https://github.com/bartblaze/Yara-rules","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bartblaze%2FYara-rules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bartblaze%2FYara-rules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bartblaze%2FYara-rules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bartblaze%2FYara-rules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bartblaze","download_url":"https://codeload.github.com/bartblaze/Yara-rules/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224455887,"owners_count":17314200,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malware-detection","ransomware-detection","threat-hunting","threat-intelligence","yara","yara-rules","yara-signatures"],"created_at":"2024-08-02T22:00:43.430Z","updated_at":"2024-11-13T13:30:38.973Z","avatar_url":"https://github.com/bartblaze.png","language":"YARA","funding_links":[],"categories":["Rules"],"sub_categories":[],"readme":"# About\n## What is this?\nA repo containing some of my privately developed Yara rules.\n\n## Why?\nTo contribute to the community.\n\n## Can I use these rules?\nOf course! That's why I created this repo. \n\nYou can use them in your detection systems. For example, [CAPE sandbox](https://github.com/kevoreilly/CAPEv2), [MalwareBazaar](https://bazaar.abuse.ch/), [UnPac.me](https://www.unpac.me/) and [VirusTotal](https://www.virustotal.com/) (must be logged in, signup is free) and others are using these rules. Furthermore, the rules can work natively with [AssemblyLine](https://www.cyber.gc.ca/en/tools-services/assemblyline) due to the CCCS Yara rule standard adoption.\n\nAll rules are TLP:White, so you can use and distribute them freely. Please retain the meta. \n\n## Help! A generic rule is hitting my software!\nIf one of the rules in the [generic](https://github.com/bartblaze/Yara-rules/tree/master/rules/generic) rules section hits on your software: this is not a false positive. It is simply an objective fact that, for example, your software has been compiled or wrapped using AutoIT. It equally does **not** mean your software is malicious. \n\nThe Yara rules presented here do **not** influence antivirus detection results in any manner. If your software is detected by an antivirus or antimalware company, **you need to contact them directly**.\n\nNote the `meta` section also mentions `category = \"INFO\"`, in which case it is a purely generic or informational rule.\n\n## Actions\nThere's two workflows running on this Github repository:\n\n* [YARA-CI](https://yara-ci.cloud.virustotal.com/): runs automatically to detect signature errors, as well as false positives and false negatives.\n* [Package Yara rules](https://github.com/bartblaze/Yara-rules/blob/master/.github/workflows/yara.yml): allows download of a complete rules file (all Yara rules from this repo in one file) for convenience from the Actions tab \u003e Choose the last workflow run \u003e Artifacts. Scroll down and you will be able to download, but you must be logged in to Github:\n\n![image](https://github.com/user-attachments/assets/904aa2af-8b91-4c01-97b4-db24f9659005)\n\n\n[![Package Yara Rules](https://github.com/bartblaze/Yara-rules/actions/workflows/yara.yml/badge.svg)](https://github.com/bartblaze/Yara-rules/actions/workflows/yara.yml)\n\n## Minimum Yara version needed?\n**v3.3.0** is minimally needed, as some rules may require a specific module. Note that it's recommended to always use the latest Yara version as found [here](https://github.com/VirusTotal/yara/releases). Yara 4.5.1, likely the last release to be available, works without issue.\n\n## Do the rules work with Yara-X?\n[Yara-X](https://github.com/VirusTotal/yara-x), a rewrite of Yara in Rust, should have no difficulty running the rules in this repo. At time of writing, Yara-X v0.6.0 works fine with the rules presented here.\n\n## Feedback?\nIf you spot an issue or improvement with one of the rules, feel free to submit a PR or open an Issue.\n\n# Extra\n\n## What is Yara?\nFrom the official Github repo, https://github.com/VirusTotal/yara:\n\u003e YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.\n\nMore information: https://yara.readthedocs.io/en/stable/index.html\n\n## What is TLP?\n\u003e The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information.\n\nThe rules in this repo are TLP:White (or TLP:Clear).\n\u003e Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.\n\nMore information: https://www.us-cert.gov/tlp\n\n## Where can I find other open-source Yara rules?\nInQuest has made a Github repo which contains a curated list of Yara rules: https://github.com/InQuest/awesome-yara.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbartblaze%2FYara-rules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbartblaze%2FYara-rules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbartblaze%2FYara-rules/lists"}