#100DaysofYARA Day 14
Checkpoint published research on VoidLink C2 framework.
They call it "advanced malware framework"; but maybe I'm not sure what "advanced" means in this context.
Rule at end
1/2
Checkpoint published research on VoidLink C2 framework.
They call it "advanced malware framework"; but maybe I'm not sure what "advanced" means in this context.
Rule at end
1/2
January 17, 2026 at 3:13 PM
#100DaysofYARA Day 14
Checkpoint published research on VoidLink C2 framework.
They call it "advanced malware framework"; but maybe I'm not sure what "advanced" means in this context.
Rule at end
1/2
Checkpoint published research on VoidLink C2 framework.
They call it "advanced malware framework"; but maybe I'm not sure what "advanced" means in this context.
Rule at end
1/2
#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
January 16, 2026 at 1:05 PM
#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
January 16, 2026 at 1:02 PM
#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
January 16, 2026 at 1:01 PM
#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
#100daysofYARA - day 12
VirusTotal uses CAPE sandbox to identify many malware families and determine if they can extract the malware's configuration. Since they use CAPE, we can often see their logic. Today, we'll suggest edits to a rule for AgentTesla.
Rule at end.
1/10
VirusTotal uses CAPE sandbox to identify many malware families and determine if they can extract the malware's configuration. Since they use CAPE, we can often see their logic. Today, we'll suggest edits to a rule for AgentTesla.
Rule at end.
1/10
January 14, 2026 at 12:38 PM
#100daysofYARA - day 12
VirusTotal uses CAPE sandbox to identify many malware families and determine if they can extract the malware's configuration. Since they use CAPE, we can often see their logic. Today, we'll suggest edits to a rule for AgentTesla.
Rule at end.
1/10
VirusTotal uses CAPE sandbox to identify many malware families and determine if they can extract the malware's configuration. Since they use CAPE, we can often see their logic. Today, we'll suggest edits to a rule for AgentTesla.
Rule at end.
1/10
#100DaysofYARA - Day 11
In looking at automatic YARA generation, yarGen-Go is a must. Just released by @cyb3rops, it is a rewrite and advancement from the original yarGen.
We'll look at the same malware from day 10; a targeted HavocC2 loader with decoy.
rule at bottom
1/5
In looking at automatic YARA generation, yarGen-Go is a must. Just released by @cyb3rops, it is a rewrite and advancement from the original yarGen.
We'll look at the same malware from day 10; a targeted HavocC2 loader with decoy.
rule at bottom
1/5
January 12, 2026 at 2:27 PM
#100DaysofYARA - Day 11
In looking at automatic YARA generation, yarGen-Go is a must. Just released by @cyb3rops, it is a rewrite and advancement from the original yarGen.
We'll look at the same malware from day 10; a targeted HavocC2 loader with decoy.
rule at bottom
1/5
In looking at automatic YARA generation, yarGen-Go is a must. Just released by @cyb3rops, it is a rewrite and advancement from the original yarGen.
We'll look at the same malware from day 10; a targeted HavocC2 loader with decoy.
rule at bottom
1/5
#100DaysofYara - day 10
There are a few lines of thinking around automatic YARA generation. I'm exploring these as part of this challenge. Today's we'll look at MCRIT.
MCRIT asks what do we learn by comparing samples? Can we find functions unique to the family?
rule at end
1/5
There are a few lines of thinking around automatic YARA generation. I'm exploring these as part of this challenge. Today's we'll look at MCRIT.
MCRIT asks what do we learn by comparing samples? Can we find functions unique to the family?
rule at end
1/5
January 12, 2026 at 12:26 PM
#100DaysofYara - day 10
There are a few lines of thinking around automatic YARA generation. I'm exploring these as part of this challenge. Today's we'll look at MCRIT.
MCRIT asks what do we learn by comparing samples? Can we find functions unique to the family?
rule at end
1/5
There are a few lines of thinking around automatic YARA generation. I'm exploring these as part of this challenge. Today's we'll look at MCRIT.
MCRIT asks what do we learn by comparing samples? Can we find functions unique to the family?
rule at end
1/5
#100DaysofYARA - Day 9
YARA looks for the header used in a .SCPT file used by BlueNoroff (DPRK) to target MacOS systems.
Script is delivered to victims disguised as a Zoom meeting launcher.
e.g. a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892
Rule at end
1/3
YARA looks for the header used in a .SCPT file used by BlueNoroff (DPRK) to target MacOS systems.
Script is delivered to victims disguised as a Zoom meeting launcher.
e.g. a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892
Rule at end
1/3
January 10, 2026 at 7:17 PM
#100DaysofYARA - Day 9
YARA looks for the header used in a .SCPT file used by BlueNoroff (DPRK) to target MacOS systems.
Script is delivered to victims disguised as a Zoom meeting launcher.
e.g. a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892
Rule at end
1/3
YARA looks for the header used in a .SCPT file used by BlueNoroff (DPRK) to target MacOS systems.
Script is delivered to victims disguised as a Zoom meeting launcher.
e.g. a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892
Rule at end
1/3
Repo “100daysofyara” aggregates sporadic YARA contributions linked to the #100DaysOfYara challenge, providing a community-focused collection of detection rules and examples. #yara #tool https://bit.ly/456s4cp
January 9, 2026 at 4:08 PM
Repo “100daysofyara” aggregates sporadic YARA contributions linked to the #100DaysOfYara challenge, providing a community-focused collection of detection rules and examples. #yara #tool https://bit.ly/456s4cp
#100DaysofYARA - Day 8
For many years, many attackers tried to keep their binaries small. However, the others found the opposite works too: extremely large binaries can cause problems with analysis.
What can be done about these large executables?
Rule at end
1/6
For many years, many attackers tried to keep their binaries small. However, the others found the opposite works too: extremely large binaries can cause problems with analysis.
What can be done about these large executables?
Rule at end
1/6
January 8, 2026 at 5:48 PM
#100DaysofYARA - Day 8
For many years, many attackers tried to keep their binaries small. However, the others found the opposite works too: extremely large binaries can cause problems with analysis.
What can be done about these large executables?
Rule at end
1/6
For many years, many attackers tried to keep their binaries small. However, the others found the opposite works too: extremely large binaries can cause problems with analysis.
What can be done about these large executables?
Rule at end
1/6
#100DaysofYARA - Day 7
@malwrhunterteam identified a suspicious file signed by "Xiamen Jialan Guang Information Technology Service Co., Ltd."
While we have a pretty good idea it'll be abused, it hasn't been yet.
So, lets watch for it to be abused.
Rule at end
1/5
@malwrhunterteam identified a suspicious file signed by "Xiamen Jialan Guang Information Technology Service Co., Ltd."
While we have a pretty good idea it'll be abused, it hasn't been yet.
So, lets watch for it to be abused.
Rule at end
1/5
January 7, 2026 at 2:32 PM
#100DaysofYARA - Day 7
@malwrhunterteam identified a suspicious file signed by "Xiamen Jialan Guang Information Technology Service Co., Ltd."
While we have a pretty good idea it'll be abused, it hasn't been yet.
So, lets watch for it to be abused.
Rule at end
1/5
@malwrhunterteam identified a suspicious file signed by "Xiamen Jialan Guang Information Technology Service Co., Ltd."
While we have a pretty good idea it'll be abused, it hasn't been yet.
So, lets watch for it to be abused.
Rule at end
1/5
#100DaysofYARA - Day 6
In December and again in January, an unknown actor replaced the download on EmEditor's website with a malicious installer. Each time, the download was a trojan installer with a valid code-signing signature.
How can we detect this?
Rule at end
1/6
In December and again in January, an unknown actor replaced the download on EmEditor's website with a malicious installer. Each time, the download was a trojan installer with a valid code-signing signature.
How can we detect this?
Rule at end
1/6
January 6, 2026 at 1:03 PM
#100DaysofYARA - Day 6
In December and again in January, an unknown actor replaced the download on EmEditor's website with a malicious installer. Each time, the download was a trojan installer with a valid code-signing signature.
How can we detect this?
Rule at end
1/6
In December and again in January, an unknown actor replaced the download on EmEditor's website with a malicious installer. Each time, the download was a trojan installer with a valid code-signing signature.
How can we detect this?
Rule at end
1/6
#100DaysofYARA - day 5
The Cert Graveyard project reports and documents abuse code-signing including Apple issued certificates.
When reporting a certificate, we want to ensure Apple has all the identifiers they need to investigate and act.
Rule at end
1/7
The Cert Graveyard project reports and documents abuse code-signing including Apple issued certificates.
When reporting a certificate, we want to ensure Apple has all the identifiers they need to investigate and act.
Rule at end
1/7
January 5, 2026 at 1:10 PM
#100DaysofYARA - day 5
The Cert Graveyard project reports and documents abuse code-signing including Apple issued certificates.
When reporting a certificate, we want to ensure Apple has all the identifiers they need to investigate and act.
Rule at end
1/7
The Cert Graveyard project reports and documents abuse code-signing including Apple issued certificates.
When reporting a certificate, we want to ensure Apple has all the identifiers they need to investigate and act.
Rule at end
1/7
#100DaysofYARA - Day 4
One heavy user of code-signing certificates is Rhysida Ransomware.
In June, I created a YARA rule focusing on their malware to help me find and report their certificates. To do so, I had to create a YARA rule on the Rich PE Header.
Rule at end
1/7
One heavy user of code-signing certificates is Rhysida Ransomware.
In June, I created a YARA rule focusing on their malware to help me find and report their certificates. To do so, I had to create a YARA rule on the Rich PE Header.
Rule at end
1/7
January 4, 2026 at 2:40 PM
#100DaysofYARA - Day 4
One heavy user of code-signing certificates is Rhysida Ransomware.
In June, I created a YARA rule focusing on their malware to help me find and report their certificates. To do so, I had to create a YARA rule on the Rich PE Header.
Rule at end
1/7
One heavy user of code-signing certificates is Rhysida Ransomware.
In June, I created a YARA rule focusing on their malware to help me find and report their certificates. To do so, I had to create a YARA rule on the Rich PE Header.
Rule at end
1/7
#100DaysofYARA - Day 3
This relates to obfusheader discussed by @RussianPanda95 and @c0ner0ne.
If the dev is going to use hard-coded strings, lets use them to our advantage.
This thread will demo Malcat's YARA features.
Rule at end of thread
1/5
This relates to obfusheader discussed by @RussianPanda95 and @c0ner0ne.
If the dev is going to use hard-coded strings, lets use them to our advantage.
This thread will demo Malcat's YARA features.
Rule at end of thread
1/5
January 3, 2026 at 3:10 PM
#100DaysofYARA - Day 3
This relates to obfusheader discussed by @RussianPanda95 and @c0ner0ne.
If the dev is going to use hard-coded strings, lets use them to our advantage.
This thread will demo Malcat's YARA features.
Rule at end of thread
1/5
This relates to obfusheader discussed by @RussianPanda95 and @c0ner0ne.
If the dev is going to use hard-coded strings, lets use them to our advantage.
This thread will demo Malcat's YARA features.
Rule at end of thread
1/5
#100DaysofYARA - Day 2
YARA rule to detect the default Delphi darkmode dib icon.
I've seen this icon excessively over the years. Using @unpacme 's YARA hunting tools, I saw 0 known goodware and 800 packed junk.
Rule at end
1/4
YARA rule to detect the default Delphi darkmode dib icon.
I've seen this icon excessively over the years. Using @unpacme 's YARA hunting tools, I saw 0 known goodware and 800 packed junk.
Rule at end
1/4
January 2, 2026 at 12:58 PM
#100DaysofYARA - Day 2
YARA rule to detect the default Delphi darkmode dib icon.
I've seen this icon excessively over the years. Using @unpacme 's YARA hunting tools, I saw 0 known goodware and 800 packed junk.
Rule at end
1/4
YARA rule to detect the default Delphi darkmode dib icon.
I've seen this icon excessively over the years. Using @unpacme 's YARA hunting tools, I saw 0 known goodware and 800 packed junk.
Rule at end
1/4
#100DaysofYARA - Day 2
YARA rule to detect the default Delphi darkmode dib icon.
I've seen this icon excessively over the years. Using @unpacme 's YARA hunting tools, I saw 0 known goodware and 800 packed junk.
Rule at end
1/4
YARA rule to detect the default Delphi darkmode dib icon.
I've seen this icon excessively over the years. Using @unpacme 's YARA hunting tools, I saw 0 known goodware and 800 packed junk.
Rule at end
1/4
January 2, 2026 at 12:57 PM
#100DaysofYARA - Day 2
YARA rule to detect the default Delphi darkmode dib icon.
I've seen this icon excessively over the years. Using @unpacme 's YARA hunting tools, I saw 0 known goodware and 800 packed junk.
Rule at end
1/4
YARA rule to detect the default Delphi darkmode dib icon.
I've seen this icon excessively over the years. Using @unpacme 's YARA hunting tools, I saw 0 known goodware and 800 packed junk.
Rule at end
1/4
First day of #100daysOfYara
This YARA rule detects a technique used in #TrashAgent malware. The malware has a hard-coded list of apps to check for on the system. This YARA looks for the way they parse the list.
In the image, the list is demarcated with "nepo"
rule at end
1/7
This YARA rule detects a technique used in #TrashAgent malware. The malware has a hard-coded list of apps to check for on the system. This YARA looks for the way they parse the list.
In the image, the list is demarcated with "nepo"
rule at end
1/7
January 1, 2026 at 5:35 PM
First day of #100daysOfYara
This YARA rule detects a technique used in #TrashAgent malware. The malware has a hard-coded list of apps to check for on the system. This YARA looks for the way they parse the list.
In the image, the list is demarcated with "nepo"
rule at end
1/7
This YARA rule detects a technique used in #TrashAgent malware. The malware has a hard-coded list of apps to check for on the system. This YARA looks for the way they parse the list.
In the image, the list is demarcated with "nepo"
rule at end
1/7
🚨#100DaysofYARA lives!!
2 time reigning champ Yashraj
has kindly offered to take the helm for this community effort! Give the homie a follow 👊
Check the repo to contribute: github.com/100DaysofYARA
And gear up for Jan 1 when #100DaysofYARA will kick off!
2 time reigning champ Yashraj
has kindly offered to take the helm for this community effort! Give the homie a follow 👊
Check the repo to contribute: github.com/100DaysofYARA
And gear up for Jan 1 when #100DaysofYARA will kick off!
a black and white photo of a man with a stethoscope around his neck screaming .
ALT: a black and white photo of a man with a stethoscope around his neck screaming .
media.tenor.com
December 28, 2025 at 11:21 PM
🚨#100DaysofYARA lives!!
2 time reigning champ Yashraj
has kindly offered to take the helm for this community effort! Give the homie a follow 👊
Check the repo to contribute: github.com/100DaysofYARA
And gear up for Jan 1 when #100DaysofYARA will kick off!
2 time reigning champ Yashraj
has kindly offered to take the helm for this community effort! Give the homie a follow 👊
Check the repo to contribute: github.com/100DaysofYARA
And gear up for Jan 1 when #100DaysofYARA will kick off!
I wrote how to use knowledge about .NET structures and streams for writing .NET Yara signatures.
E.g. IL code patterns, method signature definitions, GUIDs, compressed length
#GDATATechblog #100DaysOfYara
www.gdatasoftware.com/blog/2025/04...
E.g. IL code patterns, method signature definitions, GUIDs, compressed length
#GDATATechblog #100DaysOfYara
www.gdatasoftware.com/blog/2025/04...
100 Days of YARA: How to write .NET code signatures
If you write YARA signatures for .NET assemblies only relying on strings, you are seriously missing out. Learn what you can do to level up your YARA rules.
www.gdatasoftware.com
April 8, 2025 at 1:25 PM
I wrote how to use knowledge about .NET structures and streams for writing .NET Yara signatures.
E.g. IL code patterns, method signature definitions, GUIDs, compressed length
#GDATATechblog #100DaysOfYara
www.gdatasoftware.com/blog/2025/04...
E.g. IL code patterns, method signature definitions, GUIDs, compressed length
#GDATATechblog #100DaysOfYara
www.gdatasoftware.com/blog/2025/04...
I doubt this is new ground, but just recently started using this Yara to help identify potential entry point(s) in shellcode. Have a video that highlights it's usage as well as the -s arg for showing offsets:
buff.ly/4ibEkwZ
Always more to learn! Is it too late for #100DaysOfYara?! 😉
buff.ly/4ibEkwZ
Always more to learn! Is it too late for #100DaysOfYara?! 😉
March 3, 2025 at 6:00 PM
I doubt this is new ground, but just recently started using this Yara to help identify potential entry point(s) in shellcode. Have a video that highlights it's usage as well as the -s arg for showing offsets:
buff.ly/4ibEkwZ
Always more to learn! Is it too late for #100DaysOfYara?! 😉
buff.ly/4ibEkwZ
Always more to learn! Is it too late for #100DaysOfYara?! 😉
Postponing PMRP prep with my second rule for #100DaysOfYARA. This one focuses on finding the B64 decoding routine seen in the final stages of the Coyote Banking Trojan. www.fortinet.com/blog/threat-...
February 23, 2025 at 9:09 PM
Postponing PMRP prep with my second rule for #100DaysOfYARA. This one focuses on finding the B64 decoding routine seen in the final stages of the Coyote Banking Trojan. www.fortinet.com/blog/threat-...
This #100daysofyara shows but bad rules can be good when used correctly :)
Im using it for targeted live strings extraction in Velociraptor and some cool workflow to drive things like building yara rules.
The screenshot shows VQL to dynamically generate a yara rule to preferred string size.
Im using it for targeted live strings extraction in Velociraptor and some cool workflow to drive things like building yara rules.
The screenshot shows VQL to dynamically generate a yara rule to preferred string size.
February 21, 2025 at 12:10 AM
This #100daysofyara shows but bad rules can be good when used correctly :)
Im using it for targeted live strings extraction in Velociraptor and some cool workflow to drive things like building yara rules.
The screenshot shows VQL to dynamically generate a yara rule to preferred string size.
Im using it for targeted live strings extraction in Velociraptor and some cool workflow to drive things like building yara rules.
The screenshot shows VQL to dynamically generate a yara rule to preferred string size.
Allllll caught up on my #100DaysOfYara challenges/days/whatever
Also going to be doing much more Macho because I have been working on Offsec's MacOS Exploit Dev course
github.com/augustvansic...
Also going to be doing much more Macho because I have been working on Offsec's MacOS Exploit Dev course
github.com/augustvansic...
GitHub - augustvansickle/2025_100DaysofYara
Contribute to augustvansickle/2025_100DaysofYara development by creating an account on GitHub.
github.com
February 12, 2025 at 11:46 PM
Allllll caught up on my #100DaysOfYara challenges/days/whatever
Also going to be doing much more Macho because I have been working on Offsec's MacOS Exploit Dev course
github.com/augustvansic...
Also going to be doing much more Macho because I have been working on Offsec's MacOS Exploit Dev course
github.com/augustvansic...
#100DaysOfYara Day 32
Todays sample is a sh file, typically a script on unix based systems. It calls different files from a C2 hosting, gives them 'chmod 777' permissions (so it can execute), executes them on disk, and removes the file after execution in memory.
github.com/augustvansic...
Todays sample is a sh file, typically a script on unix based systems. It calls different files from a C2 hosting, gives them 'chmod 777' permissions (so it can execute), executes them on disk, and removes the file after execution in memory.
github.com/augustvansic...
2025_100DaysofYara/Day 32_SH_Stager.yar at 38f9a616adede74afddb18e95801e36920f933de · augustvansickle/2025_100DaysofYara
Contribute to augustvansickle/2025_100DaysofYara development by creating an account on GitHub.
github.com
February 1, 2025 at 5:35 PM
#100DaysOfYara Day 32
Todays sample is a sh file, typically a script on unix based systems. It calls different files from a C2 hosting, gives them 'chmod 777' permissions (so it can execute), executes them on disk, and removes the file after execution in memory.
github.com/augustvansic...
Todays sample is a sh file, typically a script on unix based systems. It calls different files from a C2 hosting, gives them 'chmod 777' permissions (so it can execute), executes them on disk, and removes the file after execution in memory.
github.com/augustvansic...