Binsequencer Logo

Binsequencer

0
Free
Visit Website

Binsequencer is intended to scan a corpus of similar malware (family/campaign/like-tools) and build a YARA rule that will detect similar sections of code. Specifically, each file will be analyzed and have their data abstracted into sequences of x86 instruction sets. These sets are then used in a sliding window to find commonality across the entire sample corpus. Upon finding an acceptable match, the application will attempt various methods of techniques to create a YARA match moving most specific to least. In the least specific matching, it will convert the matched instruction sets into a series of x86 opcodes, surrounded by wildcards, for usage in a YARA rule. There are a couple of options to adjust the minimum length of the instruction set, but 25 has proven to be fairly reliable while testing samples. If you go too low, you'll start matching more samples that may be unrelated. You can also choose how many matches you want to use for your YARA rule and the application will attempt to find unique instruction sets. Additionally, while the script is intended to be run on x86 PE files, you can instruct it to run on non-PE (JAR/PDF/etc) files or just about any other type of file.

FEATURES

ALTERNATIVES

A binary analysis and management framework for organizing and analyzing malware and exploit samples, and creating plugins.

Discontinued project for file-less persistence, attacks, and anti-forensic capabilities on Windows 7 32-bit systems.

A program to manage yara ruleset in a database with support for different databases and configuration options.

Kaitai Struct is a declarative language for describing binary data structures.

VxSig is a tool to automatically generate AV byte signatures from similar binaries.

A minimal, consistent API for building integrations with malware sandboxes

Generate Yara rules from function basic blocks in x64dbg.

Automate the process of writing YARA rules based on executable code within malware.