Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
This branch is 37 commits ahead of airbnb:master.

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

BinaryAlert: Serverless, Real-Time & Retroactive Malware Detection

BinaryAlert Logo plus THOR

BinaryAlert is an open-source serverless AWS pipeline where any file uploaded to an S3 bucket is immediately scanned with a configurable set of YARA rules. An alert will fire as soon as any match is found, giving an incident response team the ability to quickly contain the threat before it spreads.

Read the documentation at

THOR integration

This repository fork utilizes THOR Thunderstorm (THOR as a web service, see to replace yextend and yara-python to check for YARA matches.

THOR Integration with BinaryAlert

This integration has the following advantages:

  • Includes THOR's 15,000+ hand-crafted YARA rule set with focus on
    • APT related malware
    • Hack tools
    • Forensic artefacts
    • Obfuscation techniques
    • Web shells
  • Special file type support
    • Registry hives (full walk and IOC application)
    • Memory dumps (full YARA scan)
    • EVTX Eventlogs (log parsing and IOC application)
    • WER files (error report analysis)

You can still use your custom YARA rules along with the THOR encrypted rule set by placing them in the ./custom-signatures/yara sub folder in THOR's program folder.

We've replaced the original YARA scanning method and reduced the YARA scanning to a sinlge instance. It takes much longer to apply two rule sets one after another than combining them first and applying them in a single step.


This BinaryAlert fork requires

  • a THOR "service" license and
  • a THOR package for Linux (minimum version 10.6.0)

Getting Started

  1. Get a THOR 10 for Linux package
  2. Get a THOR service license from the Nextron customer portal
  3. Extract the THOR 10 for Linux package and place the license in the extracted program directory
  4. Clone this binaryalert fork git clone
  5. cd into the thor10-linux directory
  6. Add the THOR 10 program folder with the *.lic license file to in the binaryalert folder zip -ur ../binaryalert/lambda_functions/analyzer/ ./

Place the contents from the THOR package and your THOR license into lambda_functions/analyzer/

Add Your Customer YARA Rules

Place your rules in the folder - or better: a dedicated sub folder - within ./rules. Your rules will automatically get initialized with THOR.

Activate Advanced Features

To activate the advanced analyzers for the file types mentioned above (registry hives, memory dumps, EVTX files, WER files), removed the --pure-yara flag in the file



BinaryAlert: Serverless, Real-time & Retroactive Malware Detection.







No packages published


  • Python 60.5%
  • YARA 23.5%
  • HCL 15.3%
  • Shell 0.7%