Using Yara for Detecting Bloated Overlays

Lately, malware authors have been using overalys in PE files to add unnecessary size to the main executable. These files, typically delivered in an archive, inflate to a large size, often disrupting analysis pipelines. In this video, we'll discuss ways to create a custom Yara rule to detect large overlays.

Sample: https://tria.ge/230309-s5taradb64

00:00 Introduction
00:57 My Approach to Creating the Rule
01:35 Viewing the Overlay
02:03 Entropy Calculation
02:43 My Approach to the Yara Rule
03:41 Testing

analysis archive authors detect discuss entropy files introduction large main malware overlay overlays pipelines size testing video yara