When carrying out threat intelligence or threat hunting, one of the most vital necessities is IOCs or IOA.

These little fragments are like cues that guide the analyst to a better malware investigation. However, when malware are digital files, or better, broken down by their name MALicious softWARE, a form of digital file. This is why one of the most potent ways of detecting them is by using file based indicators; malicious file hashes and malware signatures.

However, their level of potency differs, and this difference is what makes one more valuable for long-term malware threat detection over another.

What is a file hash:

A file hash is an irreversible unique string of characters that is used to identify a file on digital systems.

Since a file hash is unique, it ensures that every file regardless of which digital system it is in, or whatever place it has been can still be identified by its hash, EXCEPT a slight change occurs in the file.

This means that if as much as a character is appended to the file, the file hash automatically changes into an entirely unique stuff.

Unlike encryption, a file hash is one way and can’t be decrypted using a decrypting key.

These cryptographic means of identifying file uniqueness and security can be classified into different algorithms based on functions and generations, here are some of the popular ones:

Message Digest 5 (MD5)
SHA1: No longer relevant due to insecurity.
SHA2: The popular industry standard. Under it are two hashing method:

SHA-256: Uses a 256 bit hash value for its cryptography.
SHA-384: Uses a 384 bit hash value for its cryptography.
SHA-512: Uses a 512 bit hash value for its cryptography, and since it uses more bits, there is more security and way less possibility of an integrity collision as often seen in MD5 hashes.

SHA3: A new generation of file hash, that in the future will likely replace SHA2, with more robust security.

What is a YARA rule:

A YARA rule is used to match files or malware using patterns, behaviors and signatures, unlike a file hash, it is more robust as it traps more malware.

When it comes to malware detection, a YARA rule encompasses a lot of IOCs into one long rule that captures a lot of similar variants.

A side by side comparison of how YARA rules and file hashes work

Suppose we have a malware like the mirai malware, its file hash in SHA-256 is a2e9d9436e5a2e4bb41927cfd77fc52dea1230e7dee0b688a03e5948abe783fd,

but this isn’t the only variant of the same mirai malware.

Here is another hash of the mirai malware: 1ba51b481413f35cda4b682af825344686c521fb4da6709a13b85ff2ac6b3637

Checking both file hash on VirusTotal will indicate that they are of the mirai family as seen below:

This second image:

Now, suppose I have the hash of just one variant, and integrate that hash into my EDR/SIEM, what happens then when another variant comes knocking? It gets in!

Threat actors know this, and this is why they are fond of sometimes modifying the binaries of their malware because the slightest change in a malware’s binary creates a new variant with a new hash.

This then is where YARA rules come into the picture. They don’t just capture the file hash, they capture the behavioral patterns of the malware file. This is because just like how a family of people have similar traits in common, a malware family in spite of what specific variant it is will tend to have similar behavior with other variants in that family.

The image below is a YARA rule for the malware in the image above:

This rule is from a 1200 line YARA ruleset as seen on github. This means that if I as an analyst wants broader control over different variants of the mirai malware, I can integrate the entire 1200 YARA ruleset into my EDR, and when a variant gets captured, the particular rule referencing it flags it down.

Reference here for the complete open source package from Elastic Security on GitHub.

Advantages and Disadvantages of YARA Rules vs. File Hashes

Both file hashes and YARA rules serve as file-based indicators for threat detection, but their utility and longevity vary significantly due to their respective strengths and weaknesses.File

Hashes

Advantage	Disadvantage
Simple and Fast Identification	Extremely Fragile
A hash is a compact, universally unique identifier (IOC) for a specific file. It allows for rapid, definitive confirmation of a known malicious file on any system.	The smallest change to a file (even one character) results in a completely new, unique hash. This makes them useless for detecting malware variants.
Ease of Integration	Short Shelf-Life (IOC Rot)
Easy to integrate into security tools (EDR/SIEMs) and simple to look up in threat intelligence databases like VirusTotal.	Threat actors can easily bypass hash-based detection by using polymorphic or simple-mutating malware, forcing analysts to constantly chase new hashes.
Integrity Check	Only Captures One-to-One Match
Can be used to verify the integrity and authenticity of a file, ensuring it hasn't been tampered with since the hash was generated.	Hashes only flag an exact, byte-for-byte match, limiting their scope to a single specific instance of a file.

YARA Rules

Advantage	Disadvantage
Robust Variant Detection	Higher Barrier to Creation
YARA rules capture patterns, behaviors, and unique strings common across a malware family. This allows one rule to detect dozens or even hundreds of related variants, unlike a hash.	Writing effective YARA rules requires a deep understanding of the malware's structure, behavior, and assembly language, often necessitating the skills of a security researcher.
Long-Term Efficacy	Potential for False Positives (if poorly written)
They are more resilient to minor changes made by threat actors. As long as the core malicious functionality or code structure remains, the YARA rule will still flag the file.	If a rule is too broad, it may flag legitimate, non-malicious files that happen to contain the same common strings or byte sequences, leading to alert fatigue.
Contextual Detection	Higher System Resource Usage (Scan Time)
Rules can search for file metadata, imports, functions, and string sets, providing a deeper, more contextual match than a simple cryptographic signature found in hashes.	Scanning a large corpus of files using a complex YARA ruleset is generally more computationally intensive and takes longer than checking files against a database of simple hashes.

Ending notes

In summary, while file hashes offer a fast and simple method for the definitive identification and integrity checking of a single, known malicious file, their extreme fragility and short shelf-life make them a poor choice for long-term threat detection. The ease with which threat actors can slightly modify a binary to generate a new, undetected hash.

YARA rules, on the other hand, represent a more robust and enduring solution. By capturing shared patterns, behaviors, and unique strings across an entire malware family, a single YARA ruleset can effectively detect hundreds of related variants. This capability—resilience to minor changes and the provision of deeper, contextual intelligence—solidifies YARA rules as the more potent and valuable tool for modern, proactive threat intelligence and threat hunting. They are, ultimately, an investment in detecting the malware itself, not just a fleeting instance of it.