The YARA User Guide: How to Install and Scan for .onion Strings

Estimated read time 2 min read

The power of YARA is undisputed in the world of cybersecurity, proving to be an essential tool for hunting malware. Here’s a quick guide on how to install YARA and use it to search for .onion strings in .txt files, a common occurrence in ransomware notes. We’ll be working with the YARA rule “ Ransomware Note Example“.

Getting Started: Installing YARA

  1. For Windows Users: Head to the official GitHub repository of YARA and download the latest YARA version for Windows. Once the download is complete, unzip the file and move the YARA executable to a location in your PATH, for example, C:\Windows\System32 or a folder of your liking. Open a Command Prompt and type “yara -h” to ensure it’s correctly installed.
  2. For Linux/Mac Users: Open a Terminal window and use the package manager to install YARA. On Ubuntu, for instance, use the command “sudo apt install yara“.
Getting Started: Installing YARA
Getting Started: Installing YARA

Crafting the YARA Rule

Now, let’s create the “ Ransomware Note Example” rule to scan for .onion strings in text files.

Create a new file with a .yar extension. In the file, enter the following:

rule Cyberwarzone_com_Ransomware_Note_Example {
        $onion_link = /\.onion/

In this rule, we’ve defined a string ($onion_link) to match any .onion URLs. The rule will trigger if it finds any matches for $onion_link in the scanned files. Ransomware Note Example YARA rule Ransomware Note Example YARA rule

Scanning Files with YARA

Once you have your YARA rule ready, you can use it to scan .txt files. Here’s how:

  1. Navigate to the directory containing the .txt files you wish to scan.
  2. Run the following command in your terminal or command prompt: “yara -r Cyberwarzone_com_Ransomware_Note_Example.yar [Folder Which contains your Data]

This command tells YARA to recursively (-r) scan all files in set directory with the Cyberwarzone_com_Ransomware_Note_Example.yar rule.

YARA will print out any matches it finds, which can help you identify potential ransomware notes containing .onion links.

Remember, YARA is a powerful tool in your cybersecurity arsenal. With a little practice, you can craft complex rules to help you uncover all kinds of cybersecurity threats. Happy hunting!

Practice with the same dataset

Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author