Making ANY.RUN’s products better for the benefit of businesses, organizations, and SOC teams is our top priority. To get maximum value out of our solutions, we provide them with API, a tool enabling users to integrate our services into their security infrastructure. And now, to make this process even smoother, we introduce a software development kit (SDK). 

With it, it’s even easier to make ANY.RUN a part of your security system. Data provided by our solutions will help you establish a safer infrastructure and improve the defense strategy of your company. 

Learn about ANY.RUN’s SDK features, advantages, and use cases below. 

Benefiting the security team of your company 

An SDK is a tool that helps increase the efficiency of your workflow through integration and automation. It simplifies day-to-day tasks for cybersecurity specialists at companies and organizations. This is especially relevant for small security teams who could benefit from automation. 

As a result of making ANY.RUN’s products a part of your security infrastructure via an SDK, you can: 

• Simplify and speed up malware analysis and threat hunting for your security team. 
• Automate routine tasks to save resources for manual in-depth investigation. 
• Access data on real threats collected by 500,000 researchers and 15,000 companies worldwide. 
• Reduce the cost of alert triage, incident investigation, and post-attack response. 
• Mitigate financial and reputational risks by equipping your defense with advanced solutions for threat analysis and detection. 

Our SDK simplifies integration of ANY.RUN’s products into your infrastructure. You can use it for enhanced flexibility, accelerated workflow, and automation of daily tasks.

Tailor the service to the needs of your business with our software development kit by making ANY.RUN’s solutions a part of your system, be that SIEM, SOAR, or XDR. 

Available for all products 

The SDK is available for users with the Hunter plan subscription, as well as with the Enterprise plan for teams. 

You can use ANY.RUN’s SDK with the entire range of our products. It makes it possible to automatically: 

• Submit files and links for analysis and download reports with ANY.RUN’s Interactive Sandbox. 

• Browse URLs and file hashes, as well as check IOCs, IOBs, IOAs and receive other data on threats with TI Lookup. 

• Establish the constant IOCs flow reception with TI Feeds. 

We make sure that the software development kit always complies with the current API version and covers all of its functions, enabling you to always stay on top of things. 

How to implement 

ANY.RUN’s software development kit is based on Python, the most popular programming language for malware analysts. It includes documentation, libraries, and code samples for you to explore. For instructions on how to install and use it, see: 

• ANY.RUN’s SDK documentation on GitHub 

• ANY.RUN’s SDK documentation on PyPI 

We welcome contributions from other developers. You can report bugs and suggest enhancements that would be beneficial for your company, and we’ll be happy to review them, resolve the issues, and make adjustments. For more info on how to contribute, see our guide. 

Use cases of ANY.RUN’s SDK 

Save resources on TI Feeds processing 

ANY.RUN’s TI Feeds provide large amounts of data on IOCs. To process all of this data efficiently, while keeping RAM load low, you can use the SDK. This will help you set up automated download of feeds in chunks, rather than in one go. 

import os

from anyrun.connectors import FeedsConnector
from anyrun.iterators import FeedsIterator


def main():

    with FeedsConnector(api_key) as connector:
        for feed in FeedsIterator.stix(connector, period='week', chunk_size=5):
            print(feed)


if __name__ == '__main__':
    api_key = os.getenv('ANY_RUN_FEEDS_API_KEY')
    main()

Simplify the submission process in ANY.RUN’s Sandbox 

Instead of manually submitting URLs and downloading analysis summaries in ANY.RUN’s Interactive Sandbox, configure the SDK to automate these processes. 

Code to automate URL submission.

Code to automate analysis summary download.

Conduct YARA Search 

YARA Search in TI Lookup allows you to scan our threat intelligence database to find files that match your descriptions. With the SDK, you can receive search results automatically using just one command: 

import os
from pprint import pprint

from anyrun.connectors import YaraLookupConnector


def load_yara_rule() -> str:
    with open('yara_lookup_rule_sample.txt', 'r') as file:
        return file.read()


def main():
    with YaraLookupConnector(api_key) as connector:
        lookup_result = connector.get_yara(load_yara_rule(), stix=True)
        pprint(lookup_result)


if __name__ == '__main__':
    api_key = os.getenv('ANY_RUN_Lookup_API_KEY')
    main()

Choose a connection method (for any service) 

You can use the SDK to connect to any service synchronously or asynchronously. Both methods include the same parameters and functions. For example, in TI Lookup you can switch between them with these code samples: 

• Synchronous version 

• Asynchronous version 

Request a trial period for your SOC team and explore ANY.RUN’s services with new possibilities brought by the SDK.

About ANY.RUN 

ANY.RUN’s services are used by over 500,000 cybersecurity professionals worldwide, including SOC teams at over 15,000 companies. ANY.RUN’s Interactive Sandbox helps businesses ensure fast and accurate analysis of threats targeting Windows, Linux, and Android systems, while the threat intelligence products TI Lookup and TI Feeds enable organizations to enrich their knowledge on active and emerging cyber attacks. 

The post Seamlessly Integrate ANY.RUN’s Services into Your Infrastructure via SDK appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

In cybersecurity, the three main types of indicators are a critical concept for threat detection and response. These main types are indicators of compromise, behavior, and attack (IOCs, IOBs, IOAs). Let’s elaborate on their essence, difference, and use.  

Distinction in a Nutshell 

Indicators of Compromise 

IOCs are pieces of evidence that suggest that a system, network, or device has been compromised by a cyberattack or malicious activity. They are typically reactive, meaning they are identified after an attack has occurred. 

The main purpose of IOCs is to help detect and confirm security incidents with known threats or malware. They serve as forensic evidence in incident investigations and are necessary for adequate incident response and mitigation. 

More often than not IOCs are specific — tied to a particular malware or campaign.  

IOCs can be classified into:  

• File-based: malicious file hashes (e.g., MD5, SHA-1, SHA-256), known malware signatures. 

• Network-based: suspicious IP addresses, domains, URLs, or unusual traffic patterns (e.g., connections to a known command-and-control server). 

• System-based: registry key changes, unauthorized user accounts, or suspicious processes running. 

Being reactive by their nature, IOCs are of immense help in threat prevention. When used smartly, they can be weaponized to block, disrupt, or preempt similar attacks in the future. 

This function is provided by threat intelligence: SOC teams collect indicators associated with known malware and incidents (malicious IPs, domains, file hashes, or URLs) and blacklist them in their security systems to prevent future communication or execution associated with those IOCs. 

For example, a phishing domain seen in a past attack is added to the block list, preventing any user from accessing it if reused. Potential IOCs can be checked with the help of services like ANY.RUN’s Threat Intelligence Lookup.  It searches for information from malware samples added and analyzed in the Interactive Sandbox: 

destinationIP:”147.185.221.26″ 

Another way of using IOCs for proactive protection is setting up decoys (honeypots or honeytokens) to monitor access to known indicators or infrastructure that mimics IOC traits. 

Finally, IOCs reveal which vulnerabilities are being exploited, so teams can prioritize patching or tighten firewall rules accordingly. 

IOCs have their limitations, though. They may not help to detect brand new or advanced threats. It’s important to keep in mind that attackers can easily change IOCs (e.g., domains, hashes), so IOC-based prevention is only as effective as its freshness and context. Context also helps to reduce false positives in detection.  

Context can also be provided by TI Lookup: it supports over 40 search parameters and wildcards which allows to combine indicators and parameters in complex search queries:

(syncObjectName:”PackageManager” or syncObjectName:”DocumentUpdater”) and syncObjectOperation:”Create” 

Mutexes often generate false positive alerts in monitoring systems. Malware samples can contain the same objects as legitimate programs, and a lot of mutex names are generic. 

Switching to the Analyses tab in the search results, we see, that the combination of mutexes with such innocent general names as PackageManager and DocumentUpdater occurs in malware campaigns of MuddyWater APT group from Iran, which is exactly as dangerous as an APT group from Iran is supposed to be.  

On the other hand, this combination of mutexes was last spotted in malware samples about four months ago which allows us to consider this signal obsolete.  

Security teams share IOCs via threat intelligence feeds: continuously updated data streams with indicators from fresh malware samples integrated with monitoring and detection systems. ANY.RUN provides Threat Intelligence Feeds in STIX and MISP formats. 

Indicators of Behavior 

IOBs focus on patterns or behaviors that suggest malicious activity, rather than specific artifacts or static signatures. They describe how an attacker operates, often describing tactics, techniques, and procedures (TTPs). In other words, these indicators focus on what an attacker does rather than specific tools or files. 

This enables them to be used for detecting zero-day attacks, unknown or evolving threats that may not have specific IOCs which makes IOBs useful in proactive threat hunting and monitoring. Suspicious behavior can signal an attack in progress, before significant damage occurs.  

IOBs may refer to:  

• User Behavior: An account logs in from an unusual location or at an odd time. 

• System Behavior: A process attempts to access sensitive files repeatedly or executes unauthorized scripts. 

• Network Behavior: Encrypted traffic spikes to unknown external servers, resembling data exfiltration. 

Thus, typical examples of IOBs are:  

• Use of living-off-the-land binaries (e.g., rundll32, certutil); 

• Obfuscation techniques; 

• Credential dumping after privilege escalation; 

• Repeated use of valid accounts for persistence.

IOBs also come with a few shortcomings. It requires advanced analytics, such as behavioral analysis or machine learning, to identify anomalies. Sophisticated monitoring tools (e.g., SIEM, UEBA) should be employed to work with this family of indicators. They can be resource-intensive to analyze and validate. And they may produce false positives if legitimate behaviors mimic malicious ones. 

ANY.RUN’s Interactive Sandbox allows analysts to observe how malware or suspicious files behave in a controlled environment and detect anomalous behaviors that may indicate a potential threat. For example, in this analysis session we see remote code execution via mshta.exe triggered by a command entered manually by a user and mentioning a (misspelled) CAPTCHA:

What does this activity indicate? In their latest campaign, Storm-1865 distributed phishing emails impersonating Booking.com. The emails contained links leading to fake CAPTCHA pages designed to build trust and lure users into interaction. The threat actor leveraged the ClickFix technique, instructing victims to paste a malicious command into the Windows command prompt. 

The campaign has been observed delivering several commodity malware families, including XWorm, Lumma Stealer, VenomRAT, AsyncRAT, DanaBot, and NetSupport RAT. With the following TI lookup query, we can search through recent public sandbox analyses and find samples with the same malicious activity for further research: 

commandLine:”mshta92.255.57.155/Capcha“ 

Indicators of Attack 

IOAs are proactive indicators that focus on the intent and actions of an adversary during an attack, emphasizing the “how” and “why” of malicious activity. They aim to detect attacks in real time, and to catch it in its early stages (e.g., during reconnaissance, exploitation, or lateral movement). This allows cybersecurity teams to prevent attacks by interrupting the kill chain. 

Examples of IOAs:  

• Reconnaissance: Unusual port scanning or enumeration of network resources. 

• Exploitation: Attempts to exploit a known vulnerability (e.g., SQL injection or buffer overflow). 

• Persistence: Installation of backdoors or scheduled tasks to maintain access. 

• Lateral Movement: Abnormal internal network traffic, such as attempts to access multiple systems with stolen credentials. 

• C2 Communication: Process beaconing to rare external IP at intervals. 

• Credential Theft: LSASS memory access by a non-standard process. 

• Data Exfiltration: Sensitive files zipped and sent via Dropbox or OneDrive. 

What typical indicators of attack might look like:  

• Word document spawns PowerShell; 

• Process injection detected; 

• A user logs in from two geographies within minutes; 

• Suspicious lateral movement. 

Since IOAs are specific signs of an active or imminent attack, often tied to known TTPs or malicious artifacts, it is possible to research these indicators with the aid of ANY.RUN’s Threat Intelligence Lookup through the Interactive MITRE ATT&CK Matrix.

The Matrix lets you map TTPs to actual samples of malware and phishing threats and view their entire execution chain inside the Interactive Sandbox, as well as collect additional indicators.

Conclusion  

The most valuable aspect of indicators in institutional cybersecurity is of course their potential to help prevent threats and incidents, stop attacks from succeeding, and thus avoiding financial loss, operational disruption, and reputation damage. Regularly collecting and using IOCs, IOAs, and IOBs, including with the services like ANY.RUN’s TI Lookup and TI Feeds, can help your SOC team fight off threats and keep your infrastructure safe.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals and 15,000 organizations worldwide. The Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. The threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Integrate ANY.RUN’s Threat Intelligence suite in your organization →

The post How Indicators of Compromise, Attack, and Behavior Help Spot and Stop Cyber Threats appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

In late March, the popular CISO MindMap, a cheat sheet on infosec team priorities, was updated. However, the economic landscape began shifting just days after its release. Now that the likelihood of economic instability, recession, falling oil prices, and rising microchip costs has increased, many companies and their CISOs face a pressing issue: cost optimization. In light of these developments, we decided to examine the CISO MindMap from a different angle, and highlight new or crucial infosec projects that can contribute to budget savings without creating excessive organizational risks.

Optimization of tools

MindMap authors advice CISOs to “consolidate and rationalize infosec tools”. In an IDC study from 2024, something like half of all large organizations surveyed used more than 40 infosec tools, and a quarter – more than 60. This abundance typically leads to decreased productivity, employee fatigue from unsynchronized and uncoordinated alerts, and excessive expenditure.

The solution lies in either consolidating the tech stack under a single-vendor approach (one vendor for the security platform and all its components), or selecting the best tool in each category. The latter approach requires (i) strict compliance with open communication standards, and (ii) API integration capabilities. It’s better suited for technologically mature teams capable of allocating internal resources (primarily time) to properly and efficiently set up integrations according to the infosec department’s procedures.

For effective stack consolidation, there are specialized planning tools that can assess all infosec systems that have been implemented, identify gaps in coverage, and pinpoint areas of significant functional overlap. This analysis also reveals inefficiently used tools that can be safely eliminated. For some niche and infrequent tasks, open-source tools can bring about budget savings. However, for large systems like SIEM that see regular use, open-source solutions may not be cheaper than proprietary ones due to the extensive efforts required for implementation, fine-tuning and support.

Consolidation often goes hand-in-hand with automation, which is only achievable with a well-synchronized toolset. In the same above-mentioned IDC study, it was found that companies that consolidated their tools and adopted modern XDR and SOAR solutions achieved average cost savings of 16% and analyst time savings of 20%. Simultaneously, they saw an improvement in organizational security with Mean Time to Respond (MTTR) decreasing by 21% and incident resolution time by 19.5%.

Automation

While automation projects initially involve additional expenses, their implementation in infosec processes pays off in the long run by saving analyst time and mitigating the talent shortage. Automation is not necessarily based on neural networks and language models, but these trendy technologies are already making practical contributions in several infosec areas. Tangible results are primarily achievable through the following measures:

• Selective incident response automation
• Alert prioritization in the monitoring center
• Application of infosec policies to accounts and resources
• Verification of compliance of internal policies with regulatory ones and enforcement of these policies
• Risk assessment and prioritization of infosec controls
• Automated third-party risk management (TPRM)

Generative AI

Despite the economic challenges, many companies continue to prioritize the implementation of AI-powered tools, viewing these as essential for future competitiveness and economic efficiency. Some organizations have even issued management directives such as “Before you hire a new employee, prove that AI cannot do their job.”

From the infosec perspective, the widespread adoption of AI-powered technology has both advantages and disadvantages. On the one hand, the vast and poorly understood array of AI tools creates a significant additional workload on infosec teams. On the other, it provides an opportunity to launch and fund various infosec initiatives within the broader corporate AI implementation program. To effectively manage AI-related risks, a company needs to do the following:

• Establish standards and regulations for the use of AI-powered solutions, while keeping in mind the rapidly evolving regulatory landscape in this area
• Create a controlled list of approved AI tools for different departments and processes
• Regularly review recommendations and verify that all AI-driven processes comply with infosec policies
• Include AI tools in the asset inventory for vulnerability management and infosec assessments
•  Develop specialized training programs for both AI users and infosec personnel

Using open-source AI solutions instead of proprietary cloud systems can reduce operational costs and enhance data protection – especially when the solutions are deployed within the organization’s network or in a private cloud. However, the availability of suitable, high-quality open-source models depends on the specific use case.

Meaningful infosec metrics

This area doesn’t require substantial financial investment but it significantly simplifies the process of justifying infosec budgets to the board of directors. The composition of key metrics varies across industries and companies, but the following groups are worth considering:

• Risk level and achieved risk reduction expressed in financial terms
• Organizational readiness for attacks (MTTR, MTTD) and its trends
• Progress in ongoing infosec projects, including automation and tool consolidation
• Effectiveness of infosec measures and its trends: average time to remediate critical and other vulnerabilities, percentage of users successfully passing cybersecurity testing, and so on

Identity management

While implementing comprehensive IAM solutions can be expensive, companies can find a balance that provides significant risk reduction at a reasonable cost.

Many companies still lack basic infosec controls like multi-factor authentication. Even limited implementation of these controls significantly reduces the risk of compromise through credential theft. In addition to cost-effective solutions that utilize TOTP-based authenticator apps, 2025 has seen passkey-based solutions mature and become quite user-friendly on the major platforms (Microsoft, Google, Apple). This phishing-resistant, highly affordable authentication method is worth deploying at least for employees who have access to critical data and systems, and ideally, for everyone. Ultimately, the transition to passkeys can also improve efficiency for all employees, as password-free access saves time and reduces support costs for password-related issues.

Another aspect of IAM is centralized management of machine identities, API tokens, and other secrets. Due to a significant increase in attacks on cloud environments, investments in this area are likely unavoidable. However, many companies can strategically plan the implementation of appropriate tools by deploying open-source solutions in their infrastructure, utilizing secret managers included in their cloud provider subscriptions, and so on.

SOC cost management

Security operations centers (SOCs) represent a major expense in any infosec budget, with significant costs associated with analyst effort, data storage, and processing. Effective separation into “hot” and “cold” log storage can significantly reduce data storage costs. For large companies, it’s worth considering hierarchical or geographically distributed processing infrastructure. In some cases, such as with our SIEM – the Kaspersky Unified Monitoring and Analysis Platform – SIEM hardware savings can reach 50%.

Kaspersky official blog – ​Read More

Every piece of malware leaves traces behind. Sometimes it’s a string buried deep in the code. Other times it’s a mutex, a registry key, or a network pattern. The key is knowing what to look for. 

That’s exactly what malware signatures are for. They describe these recurring elements, unique strings, behaviors, or structural patterns, that can be used to reliably identify known threats. 

Security teams use these signatures to detect and flag malicious activity; sometimes before the malware even has a chance to do damage. 

In this article, we’ll break down what malware signatures are, the different types you’ll encounter, and how tools like YARA and Suricata help turn small clues into confident decisions. 

What Is a Malware Signature? 

A malware signature is a unique indicator tied to a specific piece of malicious software. It could be a text string, a file hash, a mutex, or even a sequence of behaviors. Security tools use these signatures to recognize and flag known threats, kind of like matching fingerprints at a crime scene. 

The goal is simple: spot malware based on something that consistently shows up across samples from the same family or campaign. Once identified, these signatures become part of detection rules used by antivirus engines, sandboxes, and intrusion detection systems. 

How Are Malware Signatures Created? 

Malware signatures are usually crafted by security researchers and automated detection systems after analyzing how a threat behaves or what it contains. 

When a new malware sample is discovered, analysts break it down, looking at code, memory behavior, registry changes, network traffic, and other markers. If they notice something unique or consistently present across samples, like a specific mutex name, string, or packet structure, that becomes a potential signature. 

Depending on the tool or platform, these signatures might take different forms; 

• Static signatures are based on strings, byte sequences, or file hashes. 
• Behavioral signatures are based on what the malware does, like creating certain processes or modifying the registry. 
• Custom rules, like YARA or Suricata, allow analysts to define more complex patterns based on real-world observations. 

Main Types of Malware Signatures 

Not all malware looks or behaves the same, and the same goes for how we detect it. Over time, security teams have developed different types of signatures to match different kinds of threats.  

Here are the most common ones: 

Static Signatures 

These are the most traditional and widely used. Static signatures match fixed elements inside a file, like strings, byte sequences, or hashes, without needing to run the malware. 

Key traits: 

• Match based on file content (strings, hex patterns, hashes) 
• Fast and efficient for known threats 
• Can be bypassed through obfuscation or slight code changes 
• Commonly used in antivirus software  

Heuristic Signatures

Heuristic signatures look beyond exact matches. They evaluate the structure or logic of a file to identify suspicious patterns that may indicate malware, even if the sample is new or modified. 

Key traits: 

• Detect threats based on suspicious code structures 
• Useful for catching variants or zero-day malware 
• May generate false positives if too broad 
• Often found in email filters, AVs, and static analyzers 

Behavioral Signatures 

Rather than scanning a file, these signatures monitor what it does when executed. If it behaves like malware, e.g., injecting code or modifying the registry, it gets flagged. 

Key traits: 

• Trigger on real-time actions and behaviors 
• Great for catching fileless or evasive malware 
• Requires sandboxing or endpoint monitoring 
• Common in EDRs, sandboxes, and dynamic analysis tools 

How Detection Tools Use Signatures: YARA and Suricata 

Once malware signatures are defined, they need to be used effectively, and that’s where tools like YARA and Suricata come in. Each serves a unique purpose: one focuses on files and memory, the other on network traffic. Together, they cover a wide range of threats and detection angles. 

YARA Signatures: Matching Patterns in Files and Processes 

YARA is a rule-based detection tool that helps analysts identify malware by describing textual or binary patterns. It’s especially powerful for hunting threats across memory dumps, unpacked payloads, or large malware datasets. 

YARA helps security teams quickly identify threats by matching known patterns in files, processes, or memory. It automates what would otherwise be a slow, manual process, making detection faster, more accurate, and more scalable. 

Its real strength lies in customization. Teams can write tailored rules to catch specific malware strains or adapt to new threats as they emerge. When combined with ANY.RUN’s interactive sandbox, YARA also reveals how they behave, giving organizations the insight they need to act fast and prevent damage. 

Key benefits of YARA in a security workflow: 

• Speeds up detection and reduces manual effort 

• Detects both known and emerging malware families 

• Cuts down false positives with precise rules 

• Boosts efficiency across security teams 

• Helps contain threats early and minimize risk 

Real-World Example: Matching the Mutex Pattern 

Let’s look at an example of YARA rule used in ANY.RUN’s sandbox: 

$s6 = “Local\SM0:%d:%d:%hs” wide 

This string is part of a rule designed to detect mutexes created by certain malware families.

To see this signature in action, check out this ANY.RUN analysis session. 

Navigate to the MediaCenter.exe process → More Info → Synchronization tab. 

There, you’ll find the mutex: LocalSM0:5320:168:WilStaging_02 

This mutex exactly matches the YARA signature pattern. The use of placeholders like %d and %hs allows the rule to flexibly detect variations of this format across different samples. 

• %d matches any sequence of digits (0–9) 

• %hs matches a short string or hexadecimal value, typically 2 bytes 

This is a great example of how YARA rules aren’t just powerful, they’re also adaptable to the real-world quirks of evolving malware behavior. 

Suricata Signatures: Detecting Malicious Behavior in Network Traffic 

While YARA focuses on identifying malware based on what it is, Suricata helps detect malware based on what it does across the network. It’s an advanced intrusion detection system (IDS) that monitors real-time traffic and flags suspicious behavior using both signature- and anomaly-based techniques. 

ANY.RUN integrates Suricata to enhance threat visibility at the network level, allowing analysts to catch threats as they try to communicate with command-and-control servers, exfiltrate data, or spread laterally. Suricata signatures give security teams immediate context; what’s happening, where, and why it matters. 

Key benefits of Suricata in a security workflow: 

• Detects malicious traffic and C2 communication in real time 
• Complements file-based detection with network-layer visibility 
• Helps attribute threats to specific malware families 
• Speeds up incident response with actionable alerts 
• Empowers teams with visibility into protocol activity across multiple layers 

In ANY.RUN, Suricata rules are applied automatically during sandbox analysis. Let’s take a look at a real-world detection involving Gh0st Remote Access Trojan (RAT). 

View analysis session with Gh0st RAT 

After execution, the sample initiates suspicious encrypted traffic. Suricata instantly detects it and flags the connection as Gh0st RAT activity.

How it works: 

• Suricata inspects packets across protocols (HTTP, TCP, UDP, etc.) 
• It matches patterns defined in the ET (Emerging Threats) rule sets 
• Once a match is found, it provides detailed metadata: source/destination IPs, ports, signature ID, and threat name 

By switching to the Suricata rule tab, you’ll be able to inspect it more thoroughly.  

Making the Most of Malware Signatures in ANY.RUN 

Malware signatures can do a lot on their own but when they’re used in the right environment, they become even more useful. 

Inside ANY.RUN’s sandbox, YARA and Suricata work together to give you the full picture. You can see what a file is doing locally, spot mutexes, registry changes, and other signs of malicious behavior, then switch to the network layer to catch things like encrypted C2 traffic or data exfiltration. Both angles are covered, without having to jump between tools. 

Instead of switching between tools, analysts get everything in one place; interactive, real-time, and backed by constantly updated signature sets. This gives less time digging and more time acting. 

If your goal is to reduce investigation time, improve detection accuracy, and truly understand how malware behaves, ANY.RUN puts those capabilities right at your fingertips. 

About ANY.RUN

ANY.RUN is used by over 500,000 cybersecurity professionals and 15,000+ companies across finance, manufacturing, healthcare, and other industries. Its Interactive Sandbox offers fast threat analysis for Windows, Linux, and Android, aiding malware and phishing investigations. Threat Intelligence Lookup and TI Feeds enhance cyber attack knowledge and detection.

Strengthen your company’s cyber resilience with ANY.RUN →

The post Malware Signatures: How Cybersecurity Teams Use Them to Catch Threats  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More