Hello everyone! Until seeing this blog from _n1ghtw0lf, I did not know that we can use YARA rules for configuration extraction. He wrote a YARA rule for dotnet samples using dotnet and a custom module. Then, it is inspired me to do the same thing for other kinds of samples besides samples that are written in dotnet. However, I could not find any module that gets the data at the given offset. Thus, I decided to write my own helper. Also, I will give an example YARA rule that uses this module to extract the Danabot sample’s configuration. Configuration Extraction with YARA
so.cl
Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer