× Cookies are disabled! This site requires cookies to be enabled to work properly

Malware hunting is a service that allows you to hook onto the stream of files submitted to VirusTotal and get notified whenever one of them matches a certain rule written in the YARA language. If you have never used YARA before we recommend you to start by reading the YARA documentation and getting familiar with it. You can also visit the YARA official page to get access to additional tools and resources.

Applying YARA rules to the files submitted to VirusTotal you should be able to get a constant flow of malware files classified by family, discover new malware files not detected by antivirus engines, collect files written in a given language or packed with a specific run-time packer, create heuristic rules to detect suspicious files, and in general, enjoy the benefits of YARA's versatility acting on the huge amount of files processed by VirusTotal every day.

Malware hunting applies your YARA rules to every file submitted to VirusTotal, no matter its type. If the file is a Portable Executable (PE) packed with some kind of run-time packer, it is unpacked and both the packed and unpacked versions of the file are scanned with YARA. When some file matches one of your rules, a notification is issued with details about the file and the matching rule.

Malware hunting notifications can be automated into your own infrastructure via its email notifications, its RSS feed or its JSON feed.

Writting rules
Antivirus detections externals
Virustotal tags externals
Alerts specific hash submissions
Hunting for file types
Notifications based on submission file name
Hunting according to behaviour
Other supported YARA modules
Retrohunt

Writting rules

In-depth information about how to create your rules can be found in the YARA documentation , however there are malware hunting-specific features that can be very useful in many situations. These additional feautres, also known as externals, are detailed in the following paragraphs.

Antivirus detections externals

In malware hunting your rules can take into account not only the contents of the file itself, but also the signatures generated by the different antivirus engines that scanned the file, which means that you can construct rules stating: "give me the files containing the strings 'foo' and 'bar', and detected by more than two antivirus vendors" or "give me the files detected by antivirus X" or "give me new files that antivirus X detects as 'baz'". The following examples speak for themselves:

rule Example_1
{
  strings:
    $a = "dummy"
  condition:
    // Files containing 'dummy' and detected by Norman
    $a and norman
}

rule Example_2
{
  condition:
    // Files detected by Panda or F-Secure
   panda or f_secure
}

rule Example_3
{
  condition:
    // Files detected by more than 10 engines.
   positives > 10
}

rule Example_4
{
  condition:
    // New files (never submitted to VirusTotal before) detected by more than 10 engines.
   new_file and positives > 10
}

rule Example_5
{
  condition:
    // F-Secure signature matches the given regular expression
    f_secure matches /Trojan\.Generic.*/
}

rule Example_6
{
  condition:
    // F-Secure signature contains the given string
    f_secure contains "Trojan.Generic"
}

rule Example_7
{
  condition:
    // Any antivirus signature contains the given string
    signatures contains "Trojan"
}

rule Example_8
{
  condition:
    // Any antivirus signature matches the given regular expression
    signatures matches /Trojan\.Generic.*/
}

rule Example_9
{
  condition:
    // New file where any antivirus signature matches the given regular expression
    new_file and signatures matches /Trojan\.Generic.*/
}

The full list of accepted antivirus variable names is the same as the one used for file searches .

Virustotal tags externals

You can also search for files tagged with specific keywords. Our system adds certain tags to files according to its type, properties, characteristics, origin and other factors. For example, digitally signed executable files are tagged as signed, files filled with a a buch of zeros are tagged as zero-filled, files contained in the National Software Reference Library are tagged as nsrl and so on. You can search for files tagged in specific ways by using the tags variable.

The full list of available tags can be found in the file search tag modifier section .

rule Example_10
{
  condition:
    // Search for tagged as "nsrl" but not "zero-filled"
    tags contains "nsrl" and not tags contains "zero-filled"
}

Alerts specific hash submissions

Should you want to be alerted whenever a file with a given hash is submitted to virustotal, there is also a way to do this.

You can search for files with certain md5, sha1, sha256, ssdeep or imphash with the corresponding YARA external keywords:

rule Example_11
{
  condition:
    // Search for a specific MD5 hash
    md5 contains "fdf222580fdebf12f3ec0a3324a37ca9"
}

rule Example_12
{
  condition:
    // Search for a specific SHA256 hash
    sha256 contains "c33242120033264a44e626b48d6ab5a9046358074977e553a3e9a90954cff82c"
}

rule Example_13
{
  condition:
    // Search for a specific imphash
    imphash contains "c7aaeea671e489e6c9e04d34e80606c1"
}

Hunting for file types

You can hunt for specific files types by using the file_type variable. The file_type variable is a string which contains one or more keywords describing the type of the file. For example, the file_type variable for Windows 32-bits PE EXE will be "executable windows win32 pe peexe", if the file is DLL file_type would be "executable windows win32 pe pedll". If you want to search for only DLLs your rule would look like:

rule Example_14
{
  condition:
    // Search for Windows DLL files
    file_type contains "pedll"
}

On the other hand, if you want to search for 32-bits PE files, no matter if they are EXEs or DLLs, your rule would be like:

rule Example_15
{
  condition:
    // Search for Windows PE files, both DLLs and EXEs
    file_type contains "pe"
}

Other examples are:

rule Example_16
{
  condition:
    // Search for PDF files
    file_type contains "pdf"
}

rule Example_17
{
  condition:
    // Search for compressed files, no matter which format.
    file_type contains "compressed"
}

This is the full list of available file types with the corresponding value of the file_type variable.

File type Value of file_type
OpenOffice Draw document openoffice draw odg
Win32 EXE executable windows win32 pe peexe
Win32 DLL executable windows win32 pe pedll
Windows Installer installer windows msi
E-book document ebook epub
LaTeX document latex
TrueType Font font truetype ttf
Embedded OpenType font font opentype eof
Web Open Font Format font openfont woff
Compiled HTML Help chm help
Win16 EXE executable windows win16 ne neexe
Win16 DLL executable windows win16 ne nedll
Shell script script shell
DOS EXE executable dos mz
DOS COM executable dos com
AWK source awk
COFF executable coff
ELF executable linux elf
Linux kernel linux
Linux RPM package linux rpm
Linux linux
Mach-O executable mac macho
Java Bytecode executable java-bytecode class
Macintosh Disk Image executable mac dmg
Debian Package executable linux deb
Apple software package executable mac pkg
ZIP compressed zip
GZIP compressed gzip
BZIP compressed bzip
RZIP compressed rzip
DZIP compressed dzip
7ZIP compressed 7zip
Windows shortcut windows lnk
JAR compressed jar
RAR compressed rar
MS Compress compressed mscompress
ACE compressed ace
ARC compressed arc
ARJ compressed arj
ASD compressed asd
BlackHole compressed blackhole
KGB compressed kgb
ZLIB compressed zlib
TAR compressed tar
Google Chrome Extension crx chrome extension browser
Mozilla Firefox Extension xpi firefox extension browser
HTML internet html
XML internet xml
Flash internet flash swf
FLA multimedia video fla
IE cookie internet iecookie
BitTorrent link internet bittorrent
Email internet email
Outlook internet email outlook
JPEG multimedia image jpeg jpg
TIFF multimedia image tiff
GIF multimedia image gif
PNG multimedia image png
BMP multimedia image bmp
GIMP multimedia image gimp
Adobe InDesign multimedia image indesign
Adobe Photoshop multimedia image photoshop psd
Targa multimedia image targa
XWS multimedia image xwd
DIB multimedia image dib
JNG multimedia image jng
ICO multimedia image ico
FlashPix multimedia image fpx
EPS multimedia image eps
SVG multimedia image svg
Windows Enhanced Metafile multimedia image emf
AppleDouble Format apple appledouble
C source c
C++ source cpp
Text text
Script script
PHP source php
Python source python
Perl source perl
Ruby source ruby
OGG multimedia video ogg
FLC multimedia animation flc
FLI multimedia animation fli
MP3 multimedia audio mp3
FLAC multimedia audio flac
WAV multimedia audio wav
MIDI multimedia audio midi
AVI multimedia video avi
MPEG multimedia video mpeg
QuickTime multimedia video quicktime qt
ASF multimedia video asf
DivX multimedia video divx
FLV multimedia video flv
WMA multimedia audio wma
WMV multimedia video wmv
RealMedia multimedia video realmedia rm
MOV multimedia video mov
MP4 multimedia audio mp4
3GP multimedia video 3gp
Dyalog source dyalog
Fortran source fortran
ROM BIOS rom bios firmware
Symbian executable mobile symbian
Network capture internet cap pcap
ISO image compressed isoimage
PDF document pdf
PostScript document ps postscript
MS Word Document document msoffice text word doc
Office Open XML Document document msoffice text word docx
MS PowerPoint Presentation document msoffice presentation powerpoint ppt
Office Open XML Presentation document msoffice presentation powerpoint pptx
MS Excel Spreadsheet document msoffice spreadsheet excel xls
Office Open XML Spreadsheet document msoffice spreadsheet excel xlsx
Rich Text Format document msoffice text word rtf
Office Open XML Slide Show document msoffice presentation powerpoint slideshow ppsx
Java source java
Apple related apple apple-gen
Macintosh related apple macintosh mac macintosh-gen
AppleSingle Format apple applesingle
CAB compressed cab
Macintosh HFS apple macintosh mac machfs
Apple Plist apple appleplist
Macintosh Library apple mac maclib
Pascal source pascal
PalmOS executable mobile palmos
WinCE executable mobile wince
Android executable mobile android apk
iPhone executable mobile iphone ios
OpenOffice Presentation document openoffice presentation odp
OpenOffice Spreadsheet document openoffice spreadsheet ods
OpenOffice Document document openoffice text odt
Hangul (Korean] Word Processor document document hangul text hwp
Samsung document document samsungdoc text gul
OpenOffice Math document openoffice math odf

Notifications based on submission file name

Very often the file name with which a given file is sent to virustotal may reveal the nature of the file. For example, a file named banker-santander.exe could correspond to a submission by a malware researcher studying a banking trojan targeting Banco Santander.

In order to hunt for files according to file name you should use the file_name YARA external keyword.

rule Example_18
{
  condition:
    // Search according to submission file name
    file_name contains "lloyds"
}

Hunting according to behaviour

As you may know, virustotal tries to run every Portable Executable file submitted to the service in a controlled environment aiming at logging its behaviour: file system changes, registry modifications, processes launched, etc.

Behaviour searches are supported in Malware Hunting thanks to YARA's cuckoo module , make sure you read this link in order to get absolutely familiar with all the allowed behavioural features.

The above means, for example, that you can place rules for files that send an HTTP request to a specific domain or that access a given registry key:

import "cuckoo"

rule example_19
{
  condition:
    cuckoo.network.http_request(/http:\/\/evildomain\.com/)
}

rule example_20
{
  condition:
    cuckoo.registry.key_access(/\\Software\\Microsoft\\Windows\\CurrentVersion\\Run/)
}

Other supported YARA modules

The following is a full list of all the YARA modules that are supported in Malware Hunting:

PE module (advanced Portable Executable structural characteristics)
Cuckoo module (execution behaviour patterns)

Retrohunt

Beside hunting for files in real time as they arrive to VirusTotal, you can also apply your YARA rules to files sent in the past with the Retrohunt feature. The concept is plain simple: just put your YARA rules in the provided text box, launch your Retrohunt job and you'll get a list of files matching your rules. The process can take a few hours, as it scans multiple terabytes of data, but you can indicate an email address if you want to be notified when the scanning finishes.

However, notice that none of the Malware Hunting-specific features will work with Retrohunt, including rules based in the number of positives, antivirus signatures, tags, file type and Cuckoo's behaviour reports. Only pure YARA rules will work.