The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.

Video showing expanding the NSIS contents
3/7

The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.

Video showing expanding the NSIS contents
3/7

The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.

Video showing expanding the NSIS contents
3/7

Running the rule against a file will only tell me that it matched, but not what matched, so I load it into #malcat.

Malcat comes with a lot of YARA rules already but there is a user directory too which allows you to add your own and ensure they persist across updates.
4/10

With #malcat, or other tools, a reverse engineer can investigate those function blocks to understand what they are any why they are unique. For me, I can use this rule for hunting across an environment if desired.

https://github.com/Squiblydoo/100DaysofYARA/blob/main/Squiblydoo/Day10.yara
5/5

This scripts are deceptive as they contain 10,000 empty lines. BTW #malcat loads scripts like these better than most text editors.

If I get the chance, I may revise it to see how to find ones without the matching text or if you have ideas, hmu.

https://github.com/Squiblydoo/100DaysofYARA/blob/main/Squiblydoo/Day9.yara
3/3

For making the rule, I again used #malcat. I highlighted the smaller icon and added it to the YARA rule: "right-click" > "add selection to YARA" > "New rule". Couldn't be easier.

https://github.com/Squiblydoo/100DaysofYARA/blob/main/Squiblydoo/Day2.yara
4/4