Valhalla Logo
currently serving 10045 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
SUSP_Ncat_Like_Cmd
Detects a cmd.exe run via -e parameter, as used in ncat to execute certain binaries
25.02.2020
MAL_CloudSnooper_Win_Feb20_1
Detects Cloud Snooper Windows malware
25.02.2020
MAL_ELF_Snoopy_Feb20_1
Detects Cloud Snooper Snoopy malware
25.02.2020
MAL_Unknown_Packer_Feb20_1
Detects unknown packer used for a CobaltStrike loader
25.02.2020
LOG_Snoopy_Feb20_1
Detects Snoopy malware syslog messages
25.02.2020
EXPL_CVE_2020_0668_PrivFileMove
Detects unknown packer used for a CobaltStrike loader
25.02.2020
HKTL_EXPL_DiagHub
Detects Diaghub a tool that loads a custom dll in system32
25.02.2020
APT_MAL_Winnti_Feb20_1
Detects Winnti malware
25.02.2020
APT_MAL_Turla_Carbon_Implant_Feb20_1
Detects Turla Carbon (stage 2) implants
25.02.2020
MAL_ObliqueRAT_Feb20_1
Detects ObliqueRAT malware
24.02.2020
MAL_Netsha_Feb20_1
Detects Netsha malware
24.02.2020
MAL_CN_Unknown_Feb20_1
Detects unknown malware used by Chinese actors
21.02.2020
WEBSHELL_Caido_Feb20
Detects Caido Webshell
21.02.2020
WEBSHELL_ashx_Feb20
Detects various .ashx webshells
21.02.2020
WEBSHELL_ascx_Feb20
Detects various .ascx webshells
21.02.2020
WEBSHELL_PHPEval_Feb20
Detects a Webshell that hides as a hexdump
21.02.2020
WEBSHELL_CloakedAsPic_Feb20
Detects an webshell that is cloaked as a picture
21.02.2020
MAL_SamSam_Feb20_2
SamSam2 Ransomware
20.02.2020
MAL_SamSam_Feb20_1
SamSam1 Ransomware
20.02.2020
MAL_SamSam_Feb20_3
SamSam4 Ransomware
20.02.2020
HKTL_weblogicScanner_Feb20_1
JS-based scanner for web vulnerabilities
20.02.2020
HKTL_weblogicScanner_Feb20_2
JS-based scanner for web vulnerabilities
20.02.2020
HKTL_weblogicScanner_Feb20_3
JS-based scanner for web vulnerabilities
20.02.2020
HKTL_weblogicScanner_Feb20_4
JS-based scanner for web vulnerabilities
20.02.2020
APT_HiddenCobra_Electricfish_Feb20_1
Detects Electricfish malware from HiddenCobra
19.02.2020
SUSP_ComSvcs_DLL_MiniDump_CommandLine
Detects a suspicious command line making use of comsvcs.dll's exported function MiniDump to dump a process' memory
18.02.2020
SUSP_JS_Obfuscaton_Feb20_1
Detects a JavaScript obfuscation
18.02.2020
SUSP_JS_Var_A_HTTP_Header_Feb20_1
Detects a JavaScript file starting with a variable declaration and URL
18.02.2020
Webshell_Unknown_Feb20_18
Detects an unknown webshell
18.02.2020
Webshell_ASPSpyder_Feb20_1
Detects ASPSpyder webshell
18.02.2020
Webshell_PHP_Feb20_17
Detects obfuscated PHP webshell
18.02.2020
MAL_MSIL_Agent_Kazuar_Feb20_2
Detects Kazuar malware
18.02.2020
MAL_ME_Holmium_Feb20_1
Detects Holmium malware with Middle Eastern origin
18.02.2020
Webshell_Unknown_Feb20_4
Detects an unknown webshell
18.02.2020
Webshell_Unknown_Feb20_3
Detects an unknown webshell
18.02.2020
Webshell_Unknown_Feb20_2
Detects an unknown webshell
18.02.2020
Webshell_Unknown_Feb20_1
Detects an unknown webshell
18.02.2020
Webshell_Unknown_ASP_Feb20_1
Detects unknown ASP webshell
18.02.2020
Webshell_Unknown_ASPX_Feb20_1
Detects unknown ASPX webshell
18.02.2020
WEBSHELL_FoxKitten_Feb20_1
Detects Fox Kitten webshell
18.02.2020

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
VT
SUSP_BAT_Aux_Jan20_1
0.0
3191
MAL_ToTok_Android_APK
0.74
19
SUSP_JS_Obfusc_JSFuck_Jan20_1
0.77
300
HKTL_Meterpreter_InMemory_Rule
0.81
16
APT_MAL_ME_OfficeDoc_Macro_Jun19_1
0.98
83
EXPL_Office_TemplateInjection
1.54
37
SUSP_Base64_Encoded_Hex_Encoded_Code
2.45
20
SUSP_PHP_Obfuscation_GZ_Base64
3.5
14
SUSP_VBA_Macro_WScript_KernelDLL_May19_1
3.73
11
SUSP_LNX_PY_Binary
4.11
18
SUSP_Embedded_Decoy_Doc_Sep19
4.98
65
SUSP_Hex_Encoded_Executable_with_Padding
5.67
21
HKTL_PS_InvokeShellCode
5.87
15
SUSP_JS_var_OBFUSC
7.47
19
HKTL_BeefXSSFramework_Dec19
8.07
15
SUSP_JS_WindowChange_Dec19
8.27
148
SUSP_AMSI_ByPass_Strings
8.59
17
HKTL_Koadic_JS_Stage
10.2
15
HKTL_Metasploit_Indicators
10.59
22
HTKL_MetasploitPayload_Android
10.83
18
SUSP_JS_ChrW_Obfuscation
11.0
11
HKTL_Meterpreter_JS
11.38
16
SUSP_JS_Window_MoveTo_NegativeValue
11.65
17
MAL_macOS_PY_Agent_Jul19_1
12.21
19
HKTL_Koadic_Shellcode_JS
12.43
28
SUSP_Empire_PS1_Eval_1
12.75
12
SUSP_EXE2MSI_Indicators_Jul19_1
13.14
22
SUSP_PS2EXE_PowerShell2Exe_2
13.4
58
HKTL_SecurityXploded_Tool
14.32
136
MAL_NyaDrop_IoT_Malware
14.63
214

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_Encoded_Scrobj_DLL
13
aa0d1d2a995c25ee670742c6fca55ac6cb65989cf927e630c68abc40bfb2c404
MAL_XML_PowerCod_Dec18_1
13
aa0d1d2a995c25ee670742c6fca55ac6cb65989cf927e630c68abc40bfb2c404
Generic_Strings_Hacktools
10
e22e6093c6e0068c57acdd3ea914a91504cf781f1ab5c98b5f2d4995621ee647
SUSP_UPX_Autoit_Combo
12
7ad627f17c2fcc842ee8f903250cbbcb82f213f11a41682e9692c964fafdb148
MAL_MetaSploit_Android_Stage_Jul19
12
44309b994f9cca2ea6a9527a999fb25c7c6f21a8f2c77216d2fb58d378f299bd
SUSP_UPX_Autoit_Combo
9
c1a428401ba84bd79a2f62e3c21d00c63c76a9fa80106d978a535074baa26c50
SUSP_AutoIt_Malware_Indicator_1
6
cd5137093dd27199943859c7f5d426a94cf0917ff6a555b037841aa977a46fe4
Powershell_Suspicious_Strings
2
9f83ada4fd9b298c309c7fed68e63a67489acd306e3d7f009300c32938f4892f
SUSP_XORed_PE_ImportNames
1
0d80de07afd85f727ff654f63312979cdf2c7b3d7b0277cefc22f268af802e43
SUSP_Administrator_Desktop_Reference
2
4ed92c77fb58bf275adf604e007bc85bba3649e981a151d38b1966047dbdb480
SUSP_Administrator_Desktop_Reference
9
36dcc9fe05b1d87d09e30d544a198837edd0e1c1c43a3352e4dac8630d43ba4d
SUSP_XORed_Mozilla
14
e8a735860c918f7ca5a1ffd1e0b7d7ef207f7bb21fc3490106920e8edbde4cac
CN_Hacktools_tools_srvany
1
58b6f0bef65ddd701c07b353248e108848d20f25e5265f462028d6f93d33a89b
CN_Hacktools_tools_srvany
2
c5e43c10aa055f28ec942f40526b9eef413545c60badbde90168ccb71da61422
SUSP_UPX_Autoit_Combo
9
f3b2eb40d0dff12b29f7216be769b84ce368230c2f01f87aedffe25035052f47
SUSP_VMProtect_File
14
5cba2470cb4ceec994da330ec457209f2c65b8b7a9554e01974a7a7cbbdf12f5
SUSP_VMProtect_File
13
87b601e5e110179ffe72b4a04c7150e6742fc1a5087a353d15c2891ba1bd3ac2
SUSP_GrabBrowsingHistory_Jan20
6
2033380cf345c3c743aefffe9e261457b23ececdb6ddd6ffe21436e6f71a8696
SUSP_VMProtect_File
8
f949ec45d3d4d59e43c6620d4c7fe65a5f081251396ac12b80c46cf7d5e1c318
SUSP_VMProtect_File
5
c053f8718a432a5160b2b3e77769ee186531b8fe32442c9ea413862825641ef3

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
6677
EXE
4764
APT
2837
MAL
2800
HKTL
2559
DEMO
2446
T1100
1894
WEBSHELL
1863
SUSP
1379
CHINA
1042
SCRIPT
695
RUSSIA
409
T1086
399
MIDDLE_EAST
362
T1027
337
T1064
312
GEN
308
T1003
281
T1193
259
T1203
259
T1075
212
OBFUS
175
T1132
174
EXPLOIT
164
T1085
155
LINUX
151
T1178
139
T1097
139
METASPLOIT
114
T1050
112

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html