This article has been indexed from VirusTotal Blog
Good news for all threat hunters! As announced in our latest release notes, the “dotnet” YARA module is already available both for your Livehunt and Retrohunt rules. This module allows inspecting features and characteristics of .NET executable files, like GUIDs used, .NET assemblies metadata, resources and so on.
As an example, the following YARA rule published by AlienVault uses different features provided by the “dotnet” module for detecting Shrug ransomware:
import “dotnet”
rule ShrugRansomware {
meta:
author = “AlienVault L
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: YARA “dotnet” module now available for Livehunt and Retrohunt