0PricingLogin
Cyber Security Academy · Lesson

Hunting with Strings and Hex

Matching malware artifacts.

From Sample to Rule

Hunting starts with a sample. You extract distinctive artifacts, decide which are durable, and encode them into a rule that catches the family without flagging benign files.

The workflow: triage the sample, pull strings and structural traits, separate signal from noise, draft the rule, then test it against both the family and a clean corpus before deploying.

Extracting Candidate Strings

Begin with the strings utility to list printable sequences, capturing both ASCII and UTF-16 (wide) text. Windows malware often stores strings as wide.

Scan the output for C2 URLs, mutex names, registry paths, custom error messages, PDB paths, and oddly specific text. Ignore generic runtime and compiler strings.

strings -a sample.bin > ascii.txt
strings -e l sample.bin > wide.txt   # UTF-16LE
grep -iE 'http|mutex|\\\\pipe\\\\|\.pdb' ascii.txt wide.txt

All lessons in this course

  1. What YARA Is For
  2. YARA Rule Syntax
  3. Hunting with Strings and Hex
  4. Scaling and Automating Scans
← Back to Cyber Security Academy