100 Days of YARA – Day 28: pyinstaller

I frequently encounter malware written in Python that has been turned into an executable with pyinstaller. This allows the malware to run whether or not a Python interpreter or the software’s dependencies have been installed on the victim host.

This rule will find many of these samples but does not guarantee that matches are malicious.

rule pyinstaller
{
	meta:
		description = "https://www.pyinstaller.org/"

	strings:
		$a = "_MEIPASS"

	condition:
		all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 28: pyinstaller

  1. Pingback: Week 03 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s