Skip to content

Malware Intelligence

Introduction

The malware_intel module allows you to interact with the Recorded Future Malware Intelligence. It includes:

  1. Querying for known hashes
  2. Auto YARA rule generation based on hashes
  3. Auto Sigma rule generation based on hashes
  4. Saving generated rules to disk

See the API Reference for internal details of the module.

Notes

  • The reports method returns at most 10 reports, with the highest sandbox score.
  • Use the save_rule helper function to write generated Auto YARA and Auto Sigma rules to disk. Auto YARA results are saved as a .yar file named after the job, while Auto Sigma results are saved as multiple .yml files named <job_name> - Rule N.yml. See the Helpers API for details.

Examples

Warning

The following examples demonstrate how to use this module. Be sure to add appropriate error handling as needed; all possible errors for each method or function are listed in the API Reference page.

Additionally, you must configure the RF_TOKEN environment variable before getting started. For instructions, see Learn.

1: Search for reports for a specific SHA256 hash

In this example you search for a query that is matching all the reports having a sha256 as defined in the sha256 argument. The start and end date are relative to the day in which you run the example. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
from psengine.malware_intel import MalwareIntelMgr

mgr = MalwareIntelMgr()

reports = mgr.reports(
    query='static.sha256',
    sha256='c5455c43f6a295392cf7db66c68f8c725029f88e089ed01e3de858a114f0764f',
    start_date='-20d',
    end_date='-1d',
)

for report in reports:
    print(report)

The output of the example is:

1
2
3
4
Sandbox Report of: c5455c43f6a295392cf7db66c68f8c725029f88e089ed01e3de858a114f0764f, Score: 10, Task: behavioral2, Submitted: 2025-09-25T16:45:03.000Z
Sandbox Report of: c5455c43f6a295392cf7db66c68f8c725029f88e089ed01e3de858a114f0764f, Score: 10, Task: behavioral1, Submitted: 2025-09-25T16:45:03.000Z
Sandbox Report of: c5455c43f6a295392cf7db66c68f8c725029f88e089ed01e3de858a114f0764f, Score: 3, Task: behavioral2, Submitted: 2025-09-25T10:48:25.000Z
Sandbox Report of: c5455c43f6a295392cf7db66c68f8c725029f88e089ed01e3de858a114f0764f, Score: 3, Task: behavioral1, Submitted: 2025-09-25T10:48:25.000Z

2: Generate a YARA rule based on hashes

In this example you are creating a YARA rule based on 3 known hashes of WannaCry that has been identified via the query 'sample.tags == "family:wannacry"'. Adding a query is not mandatory but useful for future reference.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from pathlib import Path

from psengine.malware_intel import AutoYaraMgr, save_rules

mgr = AutoYaraMgr()

OUTPUT_DIR = Path.cwd() / 'rules'
OUTPUT_DIR.mkdir(exist_ok=True)


query = 'sample.tags == "family:wannacry"'
wannacry_hashes = [
    'ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa',
    'be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844',
    '892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba',
]

job = mgr.create_rule_job(
    wannacry_hashes, 'WannaCry Monitoring', query
)
rule = mgr.fetch_rule_job_result(
    job.job_id, wait_until_finished=True
)
print(f'Rule status: {rule.job.status}')
save_rules(rule, OUTPUT_DIR)

print(mgr.fetch_rule_jobs())

By default, fetching a newly created job may return a non-terminal status such as CREATED or RUNNING, and yara_rule_str can still be None.

To simplify this flow, fetch_rule_job_result supports an optional wait_until_finished=True argument. When enabled, the client polls the job until it reaches FINISHED (or raises if the job fails or times out), so you do not need to write your own wait loop.

Once the job is created, all jobs can be printed using fetch_rule_jobs.

1
2
Name: WannaCry Monitoring, ID: 74dc1c5c-c7dc-4863-8d09-1647629fdd01, Created: 2026-04-16 09:42:31, Covered Hashes: 3, Uncovered Hashes: 0
Name: Dindoor Monitoring, ID: 60e587c2-8341-4266-a0de-b6620e15e54e, Created: 2026-04-16 09:33:30, Covered Hashes: 5, Uncovered Hashes: 0

3: Delete the generated YARA rules

In this example you are going to delete all the rules generated by the token configured. This example is used to demonstrate that fetch_rule_jobs can be used to access the job ID via the job_id field, and pass it as argument of delete_rule_job.

1
2
3
4
5
6
7
from psengine.malware_intel import AutoYaraMgr

mgr = AutoYaraMgr()

rules = mgr.fetch_rule_jobs()
for rule in rules.jobs:
    print(mgr.delete_rule_job(rule.job_id))

4: Generate Sigma rules from malware query results

In this example you create an Auto Sigma job from a malware query and a time range, then fetch the result.

As with Auto YARA, fetch_rule_job_result supports wait_until_finished=True so the client polls until the job reaches FINISHED.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from pathlib import Path

from psengine.malware_intel import AutoSigmaMgr, save_rules

mgr = AutoSigmaMgr()

OUTPUT_DIR = Path.cwd() / 'rules'
OUTPUT_DIR.mkdir(exist_ok=True)

job = mgr.create_rule_job(
    name='WannaCry Sigma Monitoring',
    query='sample.tags == "family:wannacry"',
    start_date='2025-03-01',
    end_date='2025-03-05',
)

result = mgr.fetch_rule_job_result(
    job.job_id, wait_until_finished=True
)
print(f'Rule generation status: {result.status}')
print(f'Matched hashes: {result.n_matched_hashes}')
print(f'Generated Sigma rules: {len(result.sigma_rules)}')
save_rules(result, OUTPUT_DIR)

print(mgr.fetch_rule_jobs())

5: Delete generated Auto Sigma jobs

In this example you fetch all Auto Sigma jobs for the configured token and delete them one by one using delete_rule_job.

1
2
3
4
5
6
7
from psengine.malware_intel import AutoSigmaMgr

mgr = AutoSigmaMgr()

jobs = mgr.fetch_rule_jobs()
for job in jobs.jobs:
    print(mgr.delete_rule_job(job.job_id))