@qutluch.bsky.social
When these frail shadows we inhabit now have quit the stage, we'll meet and raise a glass again together in Valhalla.
Reposted
Thanks to @xorhex for an interesting discussion that is worth sharing here. I knew I read this somewhere but here's a fun thing you can do in YARA-X:
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
Differences with YARA
Documents the differences between YARA-X and YARA.
virustotal.github.io
October 16, 2025 at 5:48 PM
Thanks to @xorhex for an interesting discussion that is worth sharing here. I knew I read this somewhere but here's a fun thing you can do in YARA-X:
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
2 of ($a*, $b*, 3 of ($c*))
This is documented but not widely known: virustotal.github.io/yara-x/docs/...
Reposted
New Gist: Age Verification is an Epic fail
On Bluesky's introduction of age verification, selling us to the Fortnite guys, and how the arrogance of Ireland's regulator has seen it deliver the very outcomes it once called "bonkers".
www.thegist.ie/the-gist-age...
On Bluesky's introduction of age verification, selling us to the Fortnite guys, and how the arrogance of Ireland's regulator has seen it deliver the very outcomes it once called "bonkers".
www.thegist.ie/the-gist-age...
The Gist: Age Verification is an Epic fail
From the 21st July 2025, Ireland’s regulator will be enforcing age checks at the door for social media sites in the EU. This is the Gist.
www.thegist.ie
July 13, 2025 at 1:19 PM
New Gist: Age Verification is an Epic fail
On Bluesky's introduction of age verification, selling us to the Fortnite guys, and how the arrogance of Ireland's regulator has seen it deliver the very outcomes it once called "bonkers".
www.thegist.ie/the-gist-age...
On Bluesky's introduction of age verification, selling us to the Fortnite guys, and how the arrogance of Ireland's regulator has seen it deliver the very outcomes it once called "bonkers".
www.thegist.ie/the-gist-age...
Reposted
My reverse engineering workflows survey is still ongoing! In less than 3 minutes, you can fill it in and help out: docs.google.com/forms/d/e/1F...
Reverse Engineering Survey
My name is Max 'Libra' Kersten and I'm a malware analyst. This survey will collect the answers you provide without the need for any personal information. The goal of this survey is to get a better und...
docs.google.com
January 16, 2025 at 12:29 PM
My reverse engineering workflows survey is still ongoing! In less than 3 minutes, you can fill it in and help out: docs.google.com/forms/d/e/1F...
Reposted
Hackers claim to have breached Gravy Analytics, a US location data broker selling to government agencies.
They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.
They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.
January 8, 2025 at 4:25 PM
Hackers claim to have breached Gravy Analytics, a US location data broker selling to government agencies.
They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.
They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.
Reposted
#100DaysofYara Day 5
My first ELF binary:
github.com/augustvansic...
I also learned how to use x64dbg to attach to a process and follow the kernel32.dll WriteProcessMemory stack call to find where the EDR DLL gets a handle on the process.
My first ELF binary:
github.com/augustvansic...
I also learned how to use x64dbg to attach to a process and follow the kernel32.dll WriteProcessMemory stack call to find where the EDR DLL gets a handle on the process.
January 5, 2025 at 5:00 PM
#100DaysofYara Day 5
My first ELF binary:
github.com/augustvansic...
I also learned how to use x64dbg to attach to a process and follow the kernel32.dll WriteProcessMemory stack call to find where the EDR DLL gets a handle on the process.
My first ELF binary:
github.com/augustvansic...
I also learned how to use x64dbg to attach to a process and follow the kernel32.dll WriteProcessMemory stack call to find where the EDR DLL gets a handle on the process.
Reposted
x: @RustyNoob619
#100DaysofYARA Day 5
Added a couple of new YARA rules for TTPs 🐧
First is to detect embedded Windows PE payloads in a file as Base 64 encoding
Second is to spot modification of memory protect flags which is typically used for code injection/unpacking
github.com/RustyNoob-61...
#100DaysofYARA Day 5
Added a couple of new YARA rules for TTPs 🐧
First is to detect embedded Windows PE payloads in a file as Base 64 encoding
Second is to spot modification of memory protect flags which is typically used for code injection/unpacking
github.com/RustyNoob-61...
100-Days-of-YARA-2025/Day5.yara at main · RustyNoob-619/100-Days-of-YARA-2025
100 Days of YARA is a challenge to write a YARA rule every day for 100 days - RustyNoob-619/100-Days-of-YARA-2025
github.com
January 5, 2025 at 6:21 PM
x: @RustyNoob619
#100DaysofYARA Day 5
Added a couple of new YARA rules for TTPs 🐧
First is to detect embedded Windows PE payloads in a file as Base 64 encoding
Second is to spot modification of memory protect flags which is typically used for code injection/unpacking
github.com/RustyNoob-61...
#100DaysofYARA Day 5
Added a couple of new YARA rules for TTPs 🐧
First is to detect embedded Windows PE payloads in a file as Base 64 encoding
Second is to spot modification of memory protect flags which is typically used for code injection/unpacking
github.com/RustyNoob-61...
Reposted
crossposting here #100daysofyara continuing to explore yara-x today I tried to detect a renamed QEMU exe using pe attributes and a dynamic variable.
January 5, 2025 at 11:43 AM
crossposting here #100daysofyara continuing to explore yara-x today I tried to detect a renamed QEMU exe using pe attributes and a dynamic variable.
Reposted
🦔 📹 Video: Learn how to write code based signatures
➡️ using privateloader as example
➡️ what to detect
➡️ where to set wildcards
➡️ how to test your rule on unpac me
www.youtube.com/watch?v=oxC9...
#MalwareAnalysisForHedgehogs #privateloader
➡️ using privateloader as example
➡️ what to detect
➡️ where to set wildcards
➡️ how to test your rule on unpac me
www.youtube.com/watch?v=oxC9...
#MalwareAnalysisForHedgehogs #privateloader
Malware Analysis - Writing Code Signatures
YouTube video by MalwareAnalysisForHedgehogs
www.youtube.com
December 7, 2024 at 7:05 AM
🦔 📹 Video: Learn how to write code based signatures
➡️ using privateloader as example
➡️ what to detect
➡️ where to set wildcards
➡️ how to test your rule on unpac me
www.youtube.com/watch?v=oxC9...
#MalwareAnalysisForHedgehogs #privateloader
➡️ using privateloader as example
➡️ what to detect
➡️ where to set wildcards
➡️ how to test your rule on unpac me
www.youtube.com/watch?v=oxC9...
#MalwareAnalysisForHedgehogs #privateloader
Reposted
New blog post for #100DaysofYARA , in this one I look at a VenomRAT sample and create rules based on PE metadata and an encryption salt value.
forensicitguy.github.io/exploring-ve...
#malware
forensicitguy.github.io/exploring-ve...
#malware
Exploring VenomRAT Metadata and Encryption with YARA - #100DaysOfYara
It’s that time of year again - 100 Days of YARA! In this post I want to walk through how I use YARA to document malware analysis findings. YARA has loads of different use cases:
forensicitguy.github.io
January 3, 2025 at 2:27 AM
New blog post for #100DaysofYARA , in this one I look at a VenomRAT sample and create rules based on PE metadata and an encryption salt value.
forensicitguy.github.io/exploring-ve...
#malware
forensicitguy.github.io/exploring-ve...
#malware
Reposted
#100DaysofYARA we're brute forcing Steve's prompt with regular expressions :P
github.com/100DaysofYAR...
github.com/100DaysofYAR...
January 3, 2025 at 3:12 PM
#100DaysofYARA we're brute forcing Steve's prompt with regular expressions :P
github.com/100DaysofYAR...
github.com/100DaysofYAR...
Reposted
#100DaysOfYara Day 3
Thought this was an meterpreter implant but I compared it to an implant I made; much more functionality for the ITW sample. Rule = unique win32 api calls, IP’s, imports.
Thought this was an meterpreter implant but I compared it to an implant I made; much more functionality for the ITW sample. Rule = unique win32 api calls, IP’s, imports.
January 3, 2025 at 3:11 PM
#100DaysOfYara Day 3
Thought this was an meterpreter implant but I compared it to an implant I made; much more functionality for the ITW sample. Rule = unique win32 api calls, IP’s, imports.
Thought this was an meterpreter implant but I compared it to an implant I made; much more functionality for the ITW sample. Rule = unique win32 api calls, IP’s, imports.
Reposted
#100daysofyara I like taking the approach of having multiple YARA rules to detect the same thing from different perspectives, like these rules for Cronos Crypter. One looks for just strings, another a string + encryption salt, 3rd for assembly name
January 2, 2025 at 4:30 AM
#100daysofyara I like taking the approach of having multiple YARA rules to detect the same thing from different perspectives, like these rules for Cronos Crypter. One looks for just strings, another a string + encryption salt, 3rd for assembly name
Reposted
#100DaysofYARA day 2 - one cluster in my portfolio, TA427 really likes to use password-protected ZIP files with an MSC file as the only embedded file (used to use .VBS files)
lets look for ZIPs that match those features!
github.com/100DaysofYAR...
lets look for ZIPs that match those features!
github.com/100DaysofYAR...
January 2, 2025 at 1:44 PM
#100DaysofYARA day 2 - one cluster in my portfolio, TA427 really likes to use password-protected ZIP files with an MSC file as the only embedded file (used to use .VBS files)
lets look for ZIPs that match those features!
github.com/100DaysofYAR...
lets look for ZIPs that match those features!
github.com/100DaysofYAR...
Reposted
January 2, 2025 at 3:00 PM
Configured my neovim conform.nvim to run "yr fmt" on save. Looking forward to "yr lint" and hoping someday for a yara-x LSP.
a man with a beard is making a funny face with his eyes closed and says `` click '' .
ALT: a man with a beard is making a funny face with his eyes closed and says `` click '' .
media.tenor.com
January 1, 2025 at 9:23 PM
Configured my neovim conform.nvim to run "yr fmt" on save. Looking forward to "yr lint" and hoping someday for a yara-x LSP.
Gonna take a hangover day & start #100DaysOfYara late. Couldn't keep up last year & I'll see how it goes this year. I don't have the creativity of @greg-l.bsky.social Might do some scripting & play more with yara-x like @stvemillertime.bsky.social I have a half written gRPC service for file scanning
January 1, 2025 at 6:24 PM
Gonna take a hangover day & start #100DaysOfYara late. Couldn't keep up last year & I'll see how it goes this year. I don't have the creativity of @greg-l.bsky.social Might do some scripting & play more with yara-x like @stvemillertime.bsky.social I have a half written gRPC service for file scanning
Reposted
Ok day 1 of #100DaysofYara:
I assigned some strings based on the less common lines from the Lockbit 4 loader that would likely be common in malicious code and not typically in normal admin, as well as a hex string for the PE itself
I assigned some strings based on the less common lines from the Lockbit 4 loader that would likely be common in malicious code and not typically in normal admin, as well as a hex string for the PE itself
January 1, 2025 at 5:19 PM
Ok day 1 of #100DaysofYara:
I assigned some strings based on the less common lines from the Lockbit 4 loader that would likely be common in malicious code and not typically in normal admin, as well as a hex string for the PE itself
I assigned some strings based on the less common lines from the Lockbit 4 loader that would likely be common in malicious code and not typically in normal admin, as well as a hex string for the PE itself
Reposted
#100DaysofYARA day 1 - the Amos stealer is regularly evolving and updating its obfuscation techniques
You know what isn't changing?
the dylibs it depends on and the entitlements it requests from the OS. Combined, they give us excellent signal
github.com/100DaysofYAR...
You know what isn't changing?
the dylibs it depends on and the entitlements it requests from the OS. Combined, they give us excellent signal
github.com/100DaysofYAR...
January 1, 2025 at 4:36 PM
#100DaysofYARA day 1 - the Amos stealer is regularly evolving and updating its obfuscation techniques
You know what isn't changing?
the dylibs it depends on and the entitlements it requests from the OS. Combined, they give us excellent signal
github.com/100DaysofYAR...
You know what isn't changing?
the dylibs it depends on and the entitlements it requests from the OS. Combined, they give us excellent signal
github.com/100DaysofYAR...
Reposted
#100DaysofYARA 2025 edition begins tomorrow!
Any #CTI or #detectionengineering folks looking for a self-paced challenge to start the year with a laid back & fun community? Look no further!
The challenge is simple - write a YARA rule every day for 100 days
Any #CTI or #detectionengineering folks looking for a self-paced challenge to start the year with a laid back & fun community? Look no further!
The challenge is simple - write a YARA rule every day for 100 days
December 31, 2024 at 6:47 PM
#100DaysofYARA 2025 edition begins tomorrow!
Any #CTI or #detectionengineering folks looking for a self-paced challenge to start the year with a laid back & fun community? Look no further!
The challenge is simple - write a YARA rule every day for 100 days
Any #CTI or #detectionengineering folks looking for a self-paced challenge to start the year with a laid back & fun community? Look no further!
The challenge is simple - write a YARA rule every day for 100 days
Reposted
For all my math peeps out there: 2025 is pretty amazing mathematical arrangement.
1. 2025 is a perfect square (45×45=2025)
2. 2025 is the sum of digits of cubes from 1 to 9 (1³ + 2³ + 3³ + ... + 9³ = 2025)
3. 2025 is the first square year after 1936
(Cont…)
1. 2025 is a perfect square (45×45=2025)
2. 2025 is the sum of digits of cubes from 1 to 9 (1³ + 2³ + 3³ + ... + 9³ = 2025)
3. 2025 is the first square year after 1936
(Cont…)
January 1, 2025 at 11:11 AM
For all my math peeps out there: 2025 is pretty amazing mathematical arrangement.
1. 2025 is a perfect square (45×45=2025)
2. 2025 is the sum of digits of cubes from 1 to 9 (1³ + 2³ + 3³ + ... + 9³ = 2025)
3. 2025 is the first square year after 1936
(Cont…)
1. 2025 is a perfect square (45×45=2025)
2. 2025 is the sum of digits of cubes from 1 to 9 (1³ + 2³ + 3³ + ... + 9³ = 2025)
3. 2025 is the first square year after 1936
(Cont…)