Valhalla Logo
currently serving 16001 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
SUSP_CMD_SET_Download_Indicator_Combo_Jul22
Detects a combination of indicators often found in malicious samples
04.07.2022
MAL_RANSOM_Lockbit_3_Jul22_1
Detects Lockbit 3.0 samples
04.07.2022
MAL_QBot_Droppers_Jul22_1
Detects Qbot or similar HTML droppers
04.07.2022
SUSP_LNK_Raspberry_Robin_Jul22_1
Detects characteristics found in malicious link files used by Raspberry Robin malware
03.07.2022
MAL_HKTL_StealBit_Jul22_1
Detects StealBit exfiltration tool used by ransomware groups
03.07.2022
MAL_Raspberry_Robin_Jul22_1
Detects Raspberry Robin samples
03.07.2022
MAL_Raspberry_Robin_Jul22_2
Detects Raspberry Robin samples
03.07.2022
SUSP_Chmod_Tmp_C_Code_Jul22
Detects source code that changes permissions of a file in /tmp folder, which is often found in Linux exploit code
02.07.2022
SUSP_MAL_Indicators_Jul22
Detects characteristics found ina certain protector / packer often used for malware
02.07.2022
HKTL_HookPasswordChange_Jul22_1
Detects a hacktool for Windows that hooks a password change
02.07.2022
MAL_PY_Agent_Crypto_Jul22_1
Detects malicious Python agents
02.07.2022
APT_MAL_CN_MustangPanda_Jul22_1
Detects characteristics found in Mustang Panda DLL samples
02.07.2022
SUSP_VoidFunc_Export_Jul22
Detects a suspicious export often found in hacktools
02.07.2022
SUSP_GO_Binary_VoidFunc_Export_Jul22
Detects a Go binary with a VoidFunc export often found in hacktools
02.07.2022
SUSP_OBFUSC_GO_Binary_Jul22
Detects an obfuscated Go binary, which can be malware, a hacktool or goodware, whose developer thought that obfuscating the binary would be a good idea
02.07.2022
SUSP_GO_Dropper_Indicators_Jul22
Detects a Go binary with strings often found in malicious droppers
02.07.2022
SUSP_SH_Downloader_Indicators_Jul22_1
Detects suspicious Bash code with characteristics found in malicious samples
02.07.2022
SUSP_TMP_SingleChar_Indicators_Jul22_1
Detects suspicious Bash code with characteristics found in malicious samples
02.07.2022
APT_MAL_GELSEMIUM_SessionManager_Jul22_1
Detects GELSEMIUM SessionManager malware
01.07.2022
APT_MAL_GELSEMIUM_Malware_PDB_Jul22_1
Detects GELSEMIUM credential stealer malware
01.07.2022
EXPL_Zimbra_Exploit_Jun22_1
Detects characteristics found in code exploit Zimbra vulnerabilities
30.06.2022
SUSP_Code_Indicators_Jun22_1
Detects characteristics found in exploit codes
30.06.2022
SUSP_EXPL_RTF_Indicators_Jun22_1
Detects suspicious RTF file with characteristics as found in malicious RTFs that exploit Follina like vulnerabilities
30.06.2022
MAL_RANSOM_BlackBasta_Jun22_1
Detects Black Basta ransomware
29.06.2022
MAL_LNX_RANSOM_BlackBasta_Jun22_1
Detects Black Basta ransomware for Linux
29.06.2022
APT_ME_APT34_Saitama_Agent_Jun22_1
Detects APT34's Saitama Agent
29.06.2022
APT_MAL_SnakeKeylogger_Jun22_1
Detects Snake Keylogger related samples found in report on APT34
29.06.2022
SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1
Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments
29.06.2022
SUSP_RANSOM_Ransomware_Characteristics_Jun22_1
Detects characteristics often found in ransomware samples
29.06.2022
HKTL_Unknown_ShellCode_Loader_Jun22_1
Detects unknown shellcode loaders
28.06.2022
MAL_ME_Wiper_Jun22_1
Detects Dilemma Wiper malware
28.06.2022
MAL_ME_HttpService_Backdoor_Jun22_1
Detects HttpService backdoor mentioned in EvilPlayout report of attacks against Iran's state broadcaster
28.06.2022
APT_ME_MAL_MuddyWater_Jun22_1
Detects MuddyWater samples
28.06.2022
APT_MAL_IIS_Module_Jun22_1
Detects malicious IIS modules similar to rgdoor
28.06.2022
SUSP_Cmdline_Set_Casing_Anomaly_Jun22
Detects suspcious casing of the set command
28.06.2022
SUSP_MAL_Indicator_Jun22_1
Detects characteristics found in malicious .NET compiled executables
28.06.2022
HKTL_NanoDump_Jun22_3
Detects Nanodump samples based on opcode sequences
27.06.2022
HKTL_LSASS_Dump_SilentProcessExit_Jun22_1
Detects tool that dumps the LSASS process memory using WerFault
27.06.2022
HKTL_LsassSilentProcessExit_Jun22_1
Detects LSASS process dumper samples
27.06.2022
HKTL_Packed_Mimikatz_Sample_Jun22_1
Detects samples used by Chinese actor in attacks against ICS targets
27.06.2022

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
SUSP_PUA_LNX_macOS_AnyDesk_Feb22_1
0.0
12
HKTL_PUA_WinTun_Jan22
0.42
12
HKTL_RMM_Client_Aug21_1
0.46
24
WEBSHELL_PHP_BeginsWith_eval_Sep21
0.59
256
SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_1
0.6
1040
SUSP_HKTL_YsoSerial_Payload_Indicator_May22_2
0.61
23
SUSP_Eval_Base64_Indicators_Feb22_1
1.48
908
WEBSHELL_PHP_Obfuscation_Functions_Sep21
1.94
104
PUA_NetSupport_Apr22
2.34
156
SUSP_PUA_Compressed2TXT_Encoded_Feb22_1
2.35
20
SUSP_PS1_OBFUSC_Pattern_Feb22_1
2.55
88
SUSP_OBFUSC_PowerShell_Format_String_Jan22_1
2.64
64
SUSP_Encoded_Env_Public_Jun22
3.18
11
HKTL_Merlin_C2_Agent_Mar22_1
3.61
18
WEBSHELL_NeoReGeorg_Mar22_1
4.42
12
SUSP_LNX_Base64_Encoded_Webshell_Mar22
4.53
233
SUSP_Imphash_K8Tools_Jan22
4.69
26
SUSP_SFX_RAR_RunProgram_CMD_2
4.95
74
SUSP_JAVA_ByteCode_Indicators_Feb22_1
5.88
24
WEBSHELL_PHP_B64_Decoder_Oct21_1
6.45
11
SUSP_Encoded_PowerShell_Policies_Sep21_1
6.9
41
SUPS_PS1_AES_Managed_Jan22_1
7.37
19
SUSP_SMALL_ISO_Script_Feb22_1
7.5
20
SUSP_HKTL_Encoded_Hacktool_Strings_Oct21_1
8.0
12
SUSP_JS_PowerShell_Indicators_Feb22_1
8.96
28
SUSP_JS_Run_PowerShell_Jan22_1
8.96
28
SUSP_PS1_CReplace_Casing_Anomaly
9.05
19
SUSP_PUA_AnyDesk_Feb22_1
9.3
155
SUSP_Encoded_Reversed_User_Public_Nov21
10.16
25
SUSP_ASPX_PossibleDropperArtifact_Aug21
10.28
18

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
PowerShell_Case_Anomaly
3
25282f8b40e63b6be05b70ff4f8853cc5dae55d1afd03a2de6a3f07d99726181
SUSP_PS1_IEX_TextEncoding_Pattern_Feb22_1
3
25282f8b40e63b6be05b70ff4f8853cc5dae55d1afd03a2de6a3f07d99726181
Cobaltbaltstrike_Beacon_XORed_x86
14
89995a75b253a998f5455cace7445d6ab292016e0b0dd57082d355b21c3d583b
SUSP_Encoded_GetCurrentThreadId_Ext1
1
22b6f231e76727f8851c59d2236f304af67627fba9d2b689b4a08381b7ef67b3
SUSP_Double_Base64Encoded_Kernel32_Functions
1
22b6f231e76727f8851c59d2236f304af67627fba9d2b689b4a08381b7ef67b3
SUSP_Encoded_Kernel32_Functions
1
22b6f231e76727f8851c59d2236f304af67627fba9d2b689b4a08381b7ef67b3
Weevely3_A
5
bcef8a74f7309e7ab9fd0047a694c880dac23beb75a1c048a7b3893a3670c7fc
SUSP_PS1_OBFUSC_Feb22_1
14
c6e390b47003e50d23f72b42100e07783419cf32e11e2ad55fde6bb5953a5d1d
SUSP_Encoded_Kernel32_Functions
14
c6e390b47003e50d23f72b42100e07783419cf32e11e2ad55fde6bb5953a5d1d
SUSP_Bitsadmin_Pattern_Jan22_1
13
7963984a696181fb237610f28b8ede7c4a8f39aca7a7f3d2091c176c0a733083
SUSP_Bitsadmin_Pattern_Jan22_1
13
e3b6eedc7bd28492f72d926a4163efbb2339526cfc1aac5e7dd850cbd2f29d48
SUSP_Bitsadmin_Pattern_Jan22_1
14
475903e0c34d95f9db55404187537b3532bd24c581c5d91fc880e467c6150f14
SUSP_Bitsadmin_Pattern_Jan22_1
14
a2d43f629f931af80d6dc05bf64a771c5cf4c8c2acf9d481f42f60607d2af859
SUSP_Bitsadmin_Pattern_Jan22_1
14
4c360c034766c0fea28f1afef34d5f6c0e4669984803e72b5dcc071ddd348935
SUSP_NET_NAME_ConfuserEx
12
0282b0860a51abffcc4e6b7577e2edcc39c06cc3a9a3267b5158dde3381e95b9
HKTL_NET_NAME_AsStrongAsFuck
12
0282b0860a51abffcc4e6b7577e2edcc39c06cc3a9a3267b5158dde3381e95b9
SUSP_Bitsadmin_Pattern_Jan22_1
14
847f1d7446ee1974f7de4bc2832dc07cd86fbf08e4bb16f0b35776da3da864a1
PowerShell_URL_Encoded_Space
13
ef4a91067690c7ebc66c857bebb38aadfe3c94a8b41b1208a0c6a41dd2fa01e8
SUSP_Bitsadmin_Pattern_Jan22_1
13
cc1a0f745d30bce251d0655a8a1638414b2ff174143a61d3cf165cd67bfb0e39
apt_CN_Tetrisplugins_JS
11
16ad8e21c2b05fcd4e6d58fb8f3ce37f6919fa5d94c2df0d9fa6988f353d3c66

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
4917
APT
4271
Hacktools
3717
Threat Hunting
3408
Webshells
2122
Exploits
472

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020