By Sergei Frankoff

UnpacMe 7.5.0 - Community Rules, Improved Hunting, Goodware Integration,

UnpacMe submissions are now scanned with open source community Yara rules, a new Hunt view can be used to quickly pivot on searchable data, and Goodware labels are automatically applied to unpacked samples.

UnpacMe 7.5.0 - Community Rules, Improved Hunting, Goodware Integration,

Release 7.5.0 Highlights

  • [New] Submissions are now scanned with our collection of open source community Yara rules.
  • [New] Hunt view can be used to enable search links 🔎 beside searchable data. The search links launch a similarity search using the data as a pivot.
  • [New] Goodware labels are automatically applied to samples that appear in our Goodware corpus.
  • [Improved] Downloaded ZIP files are now given a unique ID to help track them locally ... no more samples (1).zip, samples (2).zip.
  • [Improved] CAPA results can now be quickly toggled to display all results at once. All of which are now searchable!
  • [Improved] Original file names are now displayed when available. These are also now searchable!

Community Rules

Our curated collection of open source community Yara rules now adds more context to packed and unpacked samples. Rule hits are displayed in the Results Insights. These rules are also searchable.

Rule details including the author and source repository can be found in the results for the matching sample.

Improved Hunting

Our new hunting features include an expanded set of search terms including file name, file metadata properties, community rules, GoReSym, CAPA, and more. We have also added new 🔎 search pivot links in the Results view to make it easy to pivot and find new and related malware.

Goodware Identification

Submissions and unpacked files that match a file in our Goodware corpus will now receive a Goodware label as well as information about the origin of the file. This can be of assistance both in identifying benign samples as well as identifying benign artifacts such as Nullsoft Scriptable Install System (NSIS) installer DLLs which are commonly unpacked along with packed malware.

The UnpacMe Goodware corpus was originally developed to assist with Yara rule validation and is sourced via analyst vetted samples. We do not rely on heuristics such as "no AV hits" to label files as Goodware.

In addition to the above highlights we have made some UI changes that improve load times and navigation within the Results page with more to come soon!

Happy Hunting!