Back to Docs

Recipe: YARA rule writer for malware sample

Generate high-signal YARA rules from a captured binary using Meridian's static analysis pipeline.

Prerequisites

  • Meridian CLI v2.1+ installed and authenticated
  • A malware sample in PE, ELF, or Mach-O format
  • Sample hash recorded in your case file

Step 1 — Ingest the sample

Upload the binary to Meridian. The platform computes hashes, extracts strings, and fingerprints the import table automatically.

meridian ingest ./samples/stealer.bin --case CASE-0042

Step 2 — Run the YARA recipe

The recipe scans for unique byte sequences, rich string constants, and import combinations that survive common packers.

meridian recipe run yara-rule-writer --sample-id 0x7f3a

Step 3 — Review the output

Meridian emits a ready-to-deploy .yar file with metadata, condition blocks, and a false-positive risk score.

rule Stealer_CASE0042 {
  meta:
    author = "Meridian YARA Recipe"
    hash   = "a3f1b9c..."
    score  = "high"
  strings:
    $s1 = "C:\Users\" wide ascii
    $s2 = { 48 8B 45 F0 48 89 45 E8 }
  condition:
    uint16(0) == 0x5A4D and 2 of them
}

Tuning tips

  • Increase the string minimum length to reduce false positives
  • Add a filesize cap in the condition block for packed variants
  • Use --aggressiveness low for enterprise-wide deployment

Next: Run the rule against your threat feed with meridian hunt --yara rule.yar