Home

Awesome

Yara Scan Service

Logo

Repository for scripts and tips for my "Yara Scan Service"

The service is currently in beta phase and allows any user to upload a Yara rule, have it scanned against sorted collection of malicious files (mostly based on MalwareBazaar).

Did it happen to you that you wanted to quickly test a Yara rule you created, but you are missing a large enough data set to test your rule against? This is exactly what Yara Scan is designed for. You submit your Yara rule to the service and a short while later you will receive an email with the results of Yara scan over our large collection of malicious samples. And the best part? Most files are identified by a signature, making it easier to identify if your rule matches for the right malware samples.

Give it a try

https://riskmitigation.ch/yara-scan/

API Key

Please reach out to me if you are interested in getting an API key for easier submission of Yara rules. Can be put in apikey.json in the same directory.

Usage

usage: yara_scan_upload.py [-h] -f FILE [FILE ...] [-a apikey] [-d]

Upload a Yara rule to be scanned on Yara Scan Service

optional arguments:
  -h, --help            show this help message and exit
  -f FILE [FILE ...], --file FILE [FILE ...]
                        Yara to upload (required)
  -a apikey, --apikey apikey
                        Your personal API key (Storage in apikey.json is
                        recommended)
  -d, --daily           Run this rule daily
  -w, --weekly          Run this rule weekly

Results

Each Yara scan task has a JSON file as a result, which includes all the file hits and some additional information, like file type, links to MalwareBazaar and VirusTotal

{
    "rule": "injectable_dll_x64",
    "malware": "CobaltStrike",
    "sha256": "8b551d934c77bb89d63071b22d33596b6655f4f2d4b4efaee5482112ba6868fa",
    "mime_type": "application/x-msdownload",
    "virustotal_link": "https://www.virustotal.com/gui/file/8b551d934c77bb89d63071b22d33596b6655f4f2d4b4efaee5482112ba6868fa/detection",
    "malwarebazaar_link": "https://bazaar.abuse.ch/sample/8b551d934c77bb89d63071b22d33596b6655f4f2d4b4efaee5482112ba6868fa/",
    "tags": []
}

Support

☕ Feel free to use Buy Me A Coffee to, well, pay me a coffee and say thank you :-)

Tools and Community