Welcome to ANY.RUN‘s monthly update, where we share what our team has been working on. 

In August, we focused on enhancing our detection tools and improving your experience. We added the new XOR-URL extractor, updated YARA rules, added new signatures, and improved network detection rules.  

Here’s a closer look at what we’ve done in August: 

New YARA rules 

Our YARA rules have been refined and updated to improve detection accuracy for various malware families. 

The newly added and updated rules now cover a broader spectrum of threats, including: 

• GoInjector 
• Luder 
• Xdspyloader  
• Guloader (with fixes) 
• DarkRoad 
• PyInstaller  
• WannaCry  
• MuddyRot  
• Phorpiex  
• Onlineclipper  
• MeshAgent  
• Prince  
• Razr 
• Snake Keylogger  (updated) 
• Zusy Ransomware  
• Luke Ransomware 
• Smert Ransomware  

New Signatures 

We’ve added new signatures to enhance the detection of specific malware families, including Gamarue, Peristeronic, RobotDropper, and MouseLoader. These signatures are important for recognizing the unique behaviors and indicators of compromise (IOCs) associated with specific threats. 

This month, we’ve added a total of 63 new signatures, including: 

• Gamarue  
• Peristeronic 
• Robotdropper 
• Mouseloader 
• Astaroth
• Casbaneiro
• Hawkeye
• Blackbasta
• Document phishing  
• Brand_apple  
• Brand_docusign   
• Brand_adobe 

New malware config extractors added and fixed 

In August, we added a new XOR-URL extractor to the ANY.RUN platform, designed to help decode XOR-obfuscated URLs used by malware to hide its command-and-control servers or other endpoints. 

We have also refined and updated extractors for Snake Keylogger and CryptBot. These updates improve the accuracy and effectiveness of detecting and analyzing configurations related to these specific malware families. 

Network detections 

In August, our primary focus for network detection rules remained on identifying phishing activities by malicious actors. Throughout the month, we flagged 11,316 public submissions as phishing, which is a significant increase of 2,162 from July. 

Let us show you how ANY.RUN can help your SOC team – book a call with us ⬇️

New Suricata rules 

Over the past month, we’ve added 69 new Suricata rules, expanding our phishing detection capabilities to 562. The latter can be categorized into several types, each targeting different aspects of phishing activities: 

• 31 domains identified as phishing and added to our rule base 

• 17 proactive rules that focus on the behavioral patterns of phishing mechanisms 

• 6 sites identified for redirecting users through domain chains to a final phishing endpoint 

• 15 informational rules that provide critical insights and assist in phishing hunts 

 About ANY.RUN   

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.   

With ANY.RUN you can:  

• Detect malware in seconds.  

• Interact with samples in real time.  

• Save time and money on sandbox setup and maintenance  

• Record and study all aspects of malware behavior.  

• Collaborate with your team  

• Scale as you need. 

Try the full power of ANY.RUN with a free trial