Static Malware Triage: YARA-First Workflow

YARA-first static triage for high-volume malware feeds.

When samples arrive faster than you can reverse them, you need classification before IDA opens.

Phase 1: Hash & Cluster

SHA256 deduplication. Cluster by imphash and section entropy.

Family-specific and capability-based rules — packers, C2 strings, anti-analysis primitives.

Section permissions, import anomalies, compile timestamps (untrusted).

Only high-priority unknowns go to full reversing.