First, thanks for sharing your rules with the community!

I was wondering if you would be interested in using the CCCS Yara metadata standard for your rules metadata?
see: https://github.com/CybercentreCanada/CCCS-Yara

It would allow your rules to integrate seamlessly with Assemblyline: https://cybercentrecanada.github.io/assemblyline4_docs/

Cheers!

https://github.com/bartblaze/Yara-rules/blob/master/rules/crimeware/PureCrypter.yar

This rule is inaccurate the strings used for detection, are generic artifacts of the commercial .NET Reactor obfuscator.

The image below shows a quick search with 2 of the strings from your rule, which results in a number of random malware and legitimate apps obfuscated with .NET Reactor. The rule does not detect the targeted malware but binaries obfuscated with .NET Reactor.

For more info about .NET Reactor detection check https://unprotect.it/technique/net-reactor/

Hello,

I'd like to create a PR to add more/correct some YARA rules that you have, but I'm unable to create a fork.

Is there a certain process for contribution?

Hello friend, download the file yara rules master but I don't know how to use it, can you help me

Is there any specific reason Pyinstaller is classified as Malware ?

Sorry for this question a little out of context, but I would like to understand how to fix errors found as EXE_in_LNK by Yara;

This is the role in my .github/workflows/rules.yar :

rule EXE_in_LNK
{
    meta:
        id = "3SSZmnnXU0l4qoc9wubdhN"
        fingerprint = "f169fab39da34f827cdff5ee022374f7c1cc0b171da9c2bb718d8fee9657d7a3"
        version = "1.0"
        creation_date = "2020-01-01"
        first_imported = "2021-12-30"
        last_modified = "2021-12-30"
        status = "RELEASED"
        sharing = "TLP:WHITE"
        source = "BARTBLAZE"
        author = "@bartblaze"
        description = "Identifies executable artefacts in shortcut (LNK) files."
        category = "INFO"

    strings:
        $ = ".exe" ascii wide nocase
        $ = ".dll" ascii wide nocase
        $ = ".scr" ascii wide nocase
        $ = ".pif" ascii wide nocase
        $ = "This program" ascii wide nocase
        $ = "TVqQAA" ascii wide nocase

    condition:
        isLNK and any of them
}

This is the error detected by VirusTotal YARA-CI

How do I solve this problem detected in my project?

It is usual for program to have strings /post.php and Connection: close in it, so ZLoader rule which requires only 2 of strings in its list to match, matches regular programs

Yara is a very good thing very useful for defaming those who use the autoit code.

Thanks for slandering the software I developed.

Hello!

It looks like #NoTrayIcon (ascii and wide) shows up in both AutoIt and AutoHotKey scripts... Would you want to remove this string from the rules AutoIT_Compiled and AutoIT_Script so that the rules only match on AutoIt scripts?

Ex: https://www.virustotal.com/gui/file/91d42e3aedd39145cc0874c658d7358aff1c77b8e0cba9adab380149257e4e90/detection

https://analyze.intezer.com/analyses/7d01ed17-000a-41f3-9a4b-ffbeab2f5a14

$ python show-yara-matches.py bartblaze_autoit.yara 91d42e3aedd39145cc0874c658d7358aff1c77b8e0cba9adab380149257e4e90 
Processing matches for 91d42e3aedd39145cc0874c658d7358aff1c77b8e0cba9adab380149257e4e90
Matches for rule AutoIT_Script
    $ matched at 000a7744: 23 00 4E 00 6F 00 54 00 72 00 61 00 79 00 49 00 63 00 6F 00 6E 00
    $ matched at 000d8a91: 23 4E 6F 54 72 61 79 49 63 6F 6E

Thank you!

Hello,

It seems like your rules causes false positives for a few antivirus in VirusTotal (see link):

Matches rule PyInstaller by @bartblaze from ruleset PyInstaller at https://github.com/bartblaze/Yara-rules
Identifies executable converted using PyInstaller.

The Ruleset is this one :

import "pe"
import "hash"
rule PyInstaller
{
meta:
	description = "Identifies executable converted using PyInstaller."
	author = "@bartblaze"
	date = "2020-01"
	tlp = "White"
	
strings:
	$ = "pyi-windows-manifest-filename" ascii wide
	$ = "pyi-runtime-tmpdir" ascii wide
	$ = "PyInstaller: " ascii wide

condition:
	uint16(0) == 0x5a4d and any of them or
	(
   for any i in (0..pe.number_of_resources - 1):
     (pe.resources[i].type == pe.RESOURCE_TYPE_ICON and
      hash.md5(pe.resources[i].offset, pe.resources[i].length) ==
      "20d36c0a435caad0ae75d3e5f474650c") //Default PyInstaller icon
	)
}

It causes AstroSaveConverter, an open-source project which anyone can see isn't a virus to be detected as one. Could you help with that ?

Thanks a lot

Hi,

I was wondering if you can change the rule that detects anything created with pyinstaller as malware to something that is more specific and more likely to really be malware. I think your rules became popular, and as a consequence now nobody can use pyinstaller to build an exe anymore. If you want to see people having troubles creating exes with pyinstaller check here, here or here.

Have a good day,
Luca

Why is it a good idea to flag occurrences of fairly generic-looking messages in strings as ransomware?

https://github.com/bartblaze/Yara-rules/blob/master/rules/ransomware/Ekans.yar

Surely there's a better way to detect ransomware that isn't susceptible to falsely flagging random people...