Yara Rules Retrieval

Retrieves specific Yara rules from the community rule set by name. Allows users to fetch one or multiple rules for inspection, customization or context enrichment. This API endpoint is supplemental and performs lookups for rules that matched when the user desires to see more context on top of the rule metadata.

Yara Rules Retrieval

Retrieves specific Yara rules from the community rule set by name. Allows users to fetch one or multiple rules for inspection, customization or context enrichment. This API endpoint is supplemental and performs lookups for rules that matched when the user desires to see more context on top of the rule metadata.

API Endpoint

POST /analysis/yara/rules

HTTP Headers

  • Content-Type: application/json
  • X-Cursed-Api-Token: API token for authentication (optional)

Request Method

POST

Parameters

Request Body (JSON):

ParameterTypeRequiredDescription
rule_namesarrayYesArray of Yara rule names to retrieve

Request Body Schema

{
  "rule_names": ["string", "string", ...]
}

Response Format

Success Response (200 OK):

{
  "results": {
    "rule_name_1": ["rule_content_line_1", "rule_content_line_2", ...],
    "rule_name_2": ["rule_content_line_1", "rule_content_line_2", ...],
    ...
  }
}

Response Schema

The response contains a dictionary where:

  • results is an object containing a dictionary of rule variants
  • Keys are the requested rule names
  • Values are arrays of strings representing the rule content line by line

Error Response (400 Bad Request):

{
  "error": "Invalid rule names provided"
}

Error Response (404 Not Found):

{
  "error": "One or more rules not found"
}

Error Response (500 Internal Server Error):

{
  "error": "An error occurred while processing your request. If you would like to report it contact us via the feedback form on cursed.tools/feedback and quote the following ID: [uuid]"
}

Error Codes

HTTP StatusDescription
200Success - Rules retrieved successfully
400Bad Request - Invalid rule names or empty request
404Not Found - One or more requested rules not found
500Internal Server Error - Server processing error

Example cURL Command

curl -X POST https://api.cursed.tools/analysis/yara/rules \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -d '{
    "rule_names": [
      "apt_malware_family",
      "trojan_backdoor_generic",
      "suspicious_pe_sections"
    ]
  }'

Example with API Token

curl -X POST https://api.cursed.tools/analysis/yara/rules \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -d '{
    "rule_names": ["apt_malware_family"]
  }'

Example Response

{
  "results": {
    "apt_malware_family": [
      "rule APT_Malware_Family",
      "{",
      "    meta:",
      "        description = \"Detects APT malware family signatures\"",
      "        author = \"Malware Research Team\"",
      "        date = \"2025-01-01\"",
      "        severity = \"high\"",
      "        family = \"APT29\"",
      "        reference = \"https://example.com/apt29-analysis\"",
      "        ",
      "    strings:",
      "        $mz_header = { 4D 5A }",
      "        $api_call1 = \"CreateProcess\" ascii",
      "        $api_call2 = \"WriteProcessMemory\" ascii", 
      "        $registry_key = \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\" ascii",
      "        $hex_pattern = { E8 ?? ?? ?? ?? 83 C4 ?? }",
      "        ",
      "    condition:",
      "        $mz_header at 0 and",
      "        2 of ($api_call*) and",
      "        ($registry_key or $hex_pattern)",
      "}"
    ],
    "trojan_backdoor_generic": [
      "rule Trojan_Backdoor_Generic", 
      "{",
      "    meta:",
      "        description = \"Generic backdoor trojan detection\"",
      "        author = \"Security Team\"",
      "        date = \"2025-01-01\"",
      "        severity = \"medium\"",
      "        category = \"trojan\"",
      "        ",
      "    strings:",
      "        $backdoor1 = \"backdoor\" nocase",
      "        $backdoor2 = \"remote_shell\" nocase",
      "        $network1 = \"socket\" ascii",
      "        $network2 = \"connect\" ascii",
      "        $pe_header = { 4D 5A 90 00 }",
      "        ",
      "    condition:",
      "        $pe_header at 0 and",
      "        any of ($backdoor*) and",
      "        any of ($network*)",
      "}"
    ]
  }
}

Rule Name Patterns

Yara rule names in the community collection typically follow these patterns:

  • Malware Family: apt_<family_name>, trojan_<variant>, ransomware_<name>
  • File Type: pe_<description>, elf_<description>, pdf_<description>
  • Behavior: suspicious_<behavior>, malicious_<activity>
  • Source: <source>_<description> (e.g., virustotal_collection)

Example Rule Categories

Malware Detection

  • apt29_cozy_bear - APT29/Cozy Bear malware signatures
  • emotet_banking_trojan - Emotet banking trojan detection
  • wannacry_ransomware - WannaCry ransomware indicators

File Analysis

  • pe_packer_upx - UPX packed PE file detection
  • pdf_exploit_cve2023 - PDF exploit detection
  • office_macro_suspicious - Suspicious Office macros

Behavioral Detection

  • process_injection_technique - Process injection patterns
  • registry_persistence_method - Registry persistence mechanisms
  • network_beacon_pattern - C2 beacon communication patterns

Notes

  • This endpoint is primarily for retrieving existing community rules that have provided matches in other Yara endpoint results
  • Rules are returned as arrays of strings, with each string representing a line in the Yara rule
  • Authentication is optional but may be required for rate limiting purposes
  • The endpoint does not consume quota for authenticated users currently
  • Rule names must match exactly (case-sensitive)
  • Rules may have variants with similar names for different file types or contexts
  • If any requested rule is not found, the entire request may fail
  • Rules are maintained and updated by the malware research community
  • The response format allows for easy parsing and manipulation of rule content
  • Rules can be modified and used in custom Yara analysis jobs
  • Rule names are typically descriptive of the malware family, behavior, or file type
  • Community rules include signatures from security researchers, threat intelligence feeds, and open source collections
  • Rules support all Yara-X features including imports, modules, and advanced condition logic

Yara File Analysis

Runs Yara-X rules against uploaded files, or custom data, to detect malware, analyze suspicious patterns, and identify threats. Supports both community rules and custom user-provided rules for comprehensive file analysis. This endpoint creates background jobs for processing files asynchronously.

Changelog