YARA matches are displayed in the matches table. The matches table includes information about each match and can be sorted and filtered based on various characteristics of the matches.

The default matches table view will display ten matches per page and is sorted in reverse chronological order based on the last time each match was observed.

Pages in the table can be navigated using the page selection controls located below the table.

1. Match Details

Each match in the table includes the sha256 hash of the sample, a list of tags with features found in the sample, and a list of any yara labels associated with the sample.

Tags

Tags associated with each match are used to present information about the sample without requiring the analyst to open a full analysis report. Tags can be clicked to add them to the match filter. A list of common tags follows.

  • EXE - The sample is a Windows executable.
  • DLL - The samples is a Windows DLL.
  • x32 - The sample is 32-bit.
  • x64 - The sample is 64-bit.
  • .NET - The sample is a .NET binary.
  • CONFIG - The sample has an associated malware configuration file.
  • corrupt - The sample failed one or more of the internal validation checks and may be corrupt.

YARA Labels

YARA labels associated with the match are displayed below the SHA256 hash. Labels can be clicked to add them to the match filter.

If the label applies to an unpacked child associated with the match the label is marked as Packed.

Expandable Details

The match also includes an expandable list of analysis reports that include the sample.

Analysis reports are arranged in reverse chronological order with the most recent report a the top of the list.

Actions

Each match has an accompanying list of quick action buttons.

  1. The Latest Analysis button will open the most recent analysis that includes the match.
  2. The Download button can be used to download the sample.

2. Table Sort

The matches table can be sorted by one of the following table attributes. By default it is sorted in reverse chronological order by the last observed match.

  1. Analysis Report Count - the number of analysts reports that contain the match. This is a useful metric for identifying samples that have been packed in multiple different parent files.
  2. First Seen - the first observation of the sample.
  3. Last Seen - the last observation of the sample.
  4. File Size - the size of the sample.

3. Bulk Actions

Bulk actions can be performed when more than one match is selected. The checkbox beside each match can be used to add the match to a section, or the Select All and Select Page buttons can be used. The bulk action control are detailed below.

  1. Select All - select all matches.
  2. Select Page - select all matches displayed in the current matches table page.
  3. Clear Selected - clear all selected matches.
  4. Copy Selected Hashes - copy the sha256 hash for each selected match to the clipboard.
  5. Download Selected - download all selected matches.