YARA Rules — Pattern-based malware detection
YARA is a rule language used by malware analysts to describe families and behaviours. Decoder applies YARA-style heuristics during malware scans.
What it is
Declarative rules that match byte/string patterns and metadata to identify malware families.
Why it's useful
Fast, transparent, signature-style detection that explains itself.
How Decoder implements it
Malware scan combines YARA-style heuristics with entropy and behavioural signals.
When to use it
Triaging suspicious binaries, scripts, or dropped payloads in a repo.
When NOT to use it
Novel zero-days with no signature — pair with AI explain and obfuscation detection.
Practical example
A LockBit-style ransom note string trips a rule; severity escalates to Critical.
FAQ
Glossary
- Signature
- A reusable pattern that identifies known malware.
- IOC
- Indicator of Compromise — observable artefact of an intrusion.
Related
Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.
Decoder parses Windows PE binaries to expose the structural signals a reviewer needs: sections, imports, exports, per-section entropy and known IoCs.
Obfuscation hides intent. Decoder flags suspicious entropy, base64 walls, eval chains, and packing markers so reviewers can focus on what's actually hidden.
LockBit 3.0 leaked source provided a real-world benchmark. This entry walks through what Decoder flags and why — useful as a reference for ransomware patterns.