VTDiff snippets look very different from those I'd choose by manual inspection, or those that other analysts use in the YARA rules they share. Could you explain why?
The most important reasons for the difference are:
- Analysts often have more context: making rules only after looking at the dynamic behaviour of a sample, the wider context of droppers and C2 infrastructure used by a malware family, etc.
- Sometimes analysts restrict themselves to mostly text snippets, shell commands, function import names, with one or two binary snippets. In contrast, VTDiff gives equal opportunities to Binary, Ascii, WideAscii and even Domain snippets.
VTDiff is able to speed up the creation of rules, but you are, as an security analyst, still in control and can supplement the tool results with extra rules tailored to your specific investigation.