dr_sandbox Module

The dr_sandbox module is an exclusive Dr.Web YARA module, which allows creating rules based on:

information on the file behavior,

types of created files (src, dump, drop, alloc and etc.),

information about detected threats,

the analyzed file’s name.

Sample rule that uses the dr_sandbox module:

rule bad_file
{
   condition:
       dr_sandbox.descr_tech.network.connect_to(/http:\/\/someplace\.badsite\.com/)
}

A detailed list of the module features is in Appendix B. More Details About dr_sandbox Module for YARA Rules.