Valhalla Logo
currently serving 9778 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
HKTL_Octopus_Payload_HTA_JS
Detects Octopus agent payloads
24.01.2020
HKTL_Octopus_Payload_PS1
Detects Octopus agent payloads
24.01.2020
APT_MAL_KasperAgent_Jan20_1
Detects KasperAgent samples
24.01.2020
MAL_macOS_Darthminer
Detects macOS Darthminer malware
23.01.2020
HKTL_CobaltStrike_PS1_Jan20_1
Detects CobaltStrike PowerShell Dropper
23.01.2020
HKTL_ETW_False_Trigger_Injector
Detects a tool that falsly triggers ETW
23.01.2020
WEBSHELL_PHP_ME_Jan20_1
Detects Webshell used in Middle Eastern campaigns
22.01.2020
WEBSHELL_Obfuscator_PHP_OverflowZone
Detects OverflowZone PHP Obfuscator
22.01.2020
MAL_AVKiller_Jan20_1
Detects a malware sample referenced as AVKiller
22.01.2020
HKTL_PUA_Secure_Socket_Funneling
Detects Secure Socket Funneling - Network tool and toolkit
22.01.2020
HKTL_PUA_Secure_Socket_Funneling_UPX
Detects MuddyWater samples - from files upx-ssf, upx-ssf.exe
22.01.2020
APT_MuddWater_Helper_Jan20_1
Detects MuddyWater samples
22.01.2020
APT_CN_Tick_Group_MZ_Header_Mod_Jan20_1
Detects MZ modification as applied by Chinese Tick threat actor
22.01.2020
APT_CN_Tick_Group_ABK_Downloader_Jan20_1
Detects malware used by Chinese Tick threat actor
22.01.2020
APT_CN_Tick_Group_Avirra_Downloader_Jan20_1
Detects malware used by Chinese Tick threat actor
22.01.2020
APT_CN_Conime_PlugX_Jan20_1
Detects malware used by Chinese Conime threat actor
22.01.2020
APT_CN_Temp_Trident_Jan20_1
Detects malware used by Chinese Temp.Trident threat actor
22.01.2020
APT_CN_Bisonal_Malware_Jan20_1
Detects malware used by Chinese threat actors
22.01.2020
APT_MuddyWater_MalDoc_Jan20_1
Detects samples noticed in MuddyWater campaign
21.01.2020
MAL_Strictor_Jan20_1
Detects Strictor Windows Trojan
21.01.2020
SUSP_MalDoc_Indicators_Jan20_1
Detects samples that look the weaponized Office documents
21.01.2020
APT_RoyalRoad_8_T_Header_Pattern
Detects file with RoyalRoad encrypted payload magic header found in 8.t files
21.01.2020
APT_RoyalRoad_RTF_Hex_Pattern_1
Detects RoyalRoad hex encoded payload pattern
21.01.2020
APT_RoyalRoad_RTF_Hex_Pattern_2
Detects RoyalRoad hex encoded payload pattern
21.01.2020
WEBSHELL_JSP_MuddyWater_Jan20_1
Detects samples noticed in MuddyWater campaign
20.01.2020
SUSP_CMD_Obfuscation_Jan20
Detects suspicious technique to obfuscation cmd.exe
20.01.2020
SUSP_Obfusc_JS_MuddyWater_Jan20_1
Detects obfuscation used by MuddyWater in a campaign
20.01.2020
APT_MAL_Helper_PS1_MuddyWater_Jan20_1
Detects samples noticed in MuddyWater campaign
20.01.2020
APT_MAL_Helper_PS1_MuddyWater_Jan20_2
Detects samples noticed in MuddyWater campaign
20.01.2020
MAL_Camp_CS_Jan20_1
Detects samples found in a CobaltStrike / Ursnif campaign
18.01.2020
MAL_Camp_CS_Jan20_2
Detects samples found in a CobaltStrike / Ursnif campaign
18.01.2020
MAL_Camp_CS_Jan20_3
Detects samples found in a CobaltStrike / Ursnif campaign
18.01.2020
SUSP_JS_Obfusc_JSFuck_Jan20_1
Detects Javascript obfuscation technique JSFuck using a set of special characters
18.01.2020
MAL_Unknown_Camp_DE_Jan20_1
Detects malware from campaign noticed in January 2020
17.01.2020
MAL_Unknown_Camp_DE_Jan20_2
Detects malware dropped in campaign noticed in January 2020
17.01.2020
MAL_JhoneRAT_PY_EXE_Jan20_1
Detects malware and dropped components of JhoneRAT
17.01.2020
MAL_Unknown_Packer_Jan20_1
Detects unknown malware packer
17.01.2020
MAL_JhoneRAT_JPEG_Embedded_EXE_Jan20_1
Detects malware and dropped components of JhoneRAT
17.01.2020
MAL_JhoneRAT_Temp_File
Detects sample dropped components of JhoneRAT - file temp1.tmp
17.01.2020
SUSP_Payload_Indicator_OleObject_Jan20_1
Detects suspicious code sequence found in many different malicious dropper documents with embedded payloads
17.01.2020

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
VT
EXPL_Shitrix_Exploit_Code_Jan20_1
0.06
18
HKTL_Meterpreter_InMemory_Rule
0.1
109
HKTL_Empire_Win_CSharp_Dec19_1
0.42
12
HKTL_Meterpreter_JS
1.94
18
HKTL_Metasploit_Indicators
2.4
20
SUSP_JS_Obfusc_JSFuck_Jan20_1
2.54
98
MAL_Obfuscated_PS1_Code_Feb19_1
3.0
13
SUSP_EXPL_ExternalTemplate_Generic
3.19
31
SUSP_Doc_StartMenu_Startup_Reference
4.74
27
MAL_NET_MeterPreter_Payload_1
4.81
36
SUSP_JS_WindowChange_Dec19
5.6
85
SUSP_PS2EXE_PowerShell2Exe_2
6.85
20
HKTL_BeefXSSFramework_Dec19
7.72
25
SUSP_Obfuscation_ChrW_Feb19_1
8.42
89
SUSP_Embedded_Decoy_Doc_Sep19
8.44
39
SUSP_ShellCode_Variable
9.1
59
HKTL_DarkArmor_Imp_Jan20_1
9.19
16
SUSP_Encoded_IEX_2
9.69
97
HKTL_Koadic_Strings_Gen
9.81
21
HKTL_Veil_PS1_Nov19_1
10.38
37
SUSP_Encoded_StartSleep
10.65
20
SUSP_JS_ChrW_Obfuscation
11.26
23
SUSP_OfficeDoc_Kernel32_Imports
11.57
14
MAL_macOS_PY_Agent_Jul19_1
11.71
34
Casing_Anomaly_WindowStyle_Hidden
11.73
222
SUSP_Encoded_Pastebin_URL
12.14
343
SUSP_JS_Window_MoveTo_NegativeValue
12.29
14
SUSP_CryptoObfuscator
12.73
51
SUSP_Encoded_VBE
12.86
49
SUSP_XORed_MSDOS_Stub_Message
13.0
3198

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
MAL_AutoIt_Malware_Indicator_1
5
f8bf4400d8c5966482a27c5c533864aba38f68f1186d4ef39532fa2901397679
SUSP_AutoIt_CompScript_NET_Combo
5
f8bf4400d8c5966482a27c5c533864aba38f68f1186d4ef39532fa2901397679
SUSP_AutoIt_Malware_Indicator_1
5
f8bf4400d8c5966482a27c5c533864aba38f68f1186d4ef39532fa2901397679
MAL_AutoIt_Malware_Indicator_1
8
afa43f1743e0d8f9eca57a24dcf71d527b3f915995b713b592770c0048c62d86
PrivEsc_PowerLine
2
11abc942cf0244069f0ff1f17eb5fe14d63edd3cb320f8df60cda3b4454c2ef9
SUSP_VMProtect_File
14
6f7f5629281fa4c026a3ab473c49cd0afee3ae411f6fb0faffda5c02dca3602b
SUSP_ELF_LNX_UPX_Compressed_File
14
6852f45f36651f3fd0f332d49a7005203200ef0c74b7c5066d946b589d073f55
SUSP_LNK_File_Jul19_1
1
7f2cd7c648943dc088ad273e5c1e3b31aac3868a14c126fe651816a4543662c1
SUSP_ELF_LNX_UPX_Compressed_File
14
c90753bcdc6c23cc06ca6dc304d60f112532824361990087dac527a8ea5a4425
SUSP_OfficeDoc_DropperStrings_Dec18_1
3
bcc02c8470d23b0b9cd663e05ff098c9db88b4baad4812222301f71e777abf51
SUSP_OfficeDic_Macro_Strings_Gen_Jan19_1
3
bcc02c8470d23b0b9cd663e05ff098c9db88b4baad4812222301f71e777abf51
SUSP_OfficeDoc_Macro_Indicator_Jun19_1
3
bcc02c8470d23b0b9cd663e05ff098c9db88b4baad4812222301f71e777abf51
SUSP_OfficeDoc_Macro_Indicator_SubAutoOpen_Jun19_2
1
0dc075215a29249772e9b91b0d1968511c5802caf7e9b0ef0741c554dd51aa83
SUSP_TTP_VBFrame_EXECUTION
1
0dc075215a29249772e9b91b0d1968511c5802caf7e9b0ef0741c554dd51aa83
SUSP_OfficeDoc_Macro_Indicator_Jun19_1
1
0dc075215a29249772e9b91b0d1968511c5802caf7e9b0ef0741c554dd51aa83
SUSP_Compromised_Cert_LuckyMouse
1
392c45f93294217720b59a5eee24970bc161077bbc3dab0255e3b6462e249e24
SUSP_Double_Base64_Encoded_Executable
12
13e7554a2a433e909ede37c487f56ef496c36a30cfc4cec2441ebb17e5f33d22
SUSP_ConfuserEx_Obfuscated_Gen
13
af53e14185aa56858d4635fcefa117c84b54a8b23723fd7ce38314720570037a
SUSP_ConfuserEx_Obfuscated_Gen
8
442e36276925faf5eea5c9e1cd3159dbc5ce07a044d17b285b801f3b57130a9e
SUSP_JS_Obfuscation_Sep19_1
5
dd4bcc6d20a2574438148933de61b19499e81cfe6a37b70b577ea143c8718bf4

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
6504
EXE
4667
APT
2788
MAL
2735
HKTL
2493
DEMO
2446
T1100
1839
WEBSHELL
1811
SUSP
1326
CHINA
1025
SCRIPT
663
RUSSIA
408
T1086
364
MIDDLE_EAST
350
T1027
323
T1064
313
GEN
307
T1003
272
T1193
253
T1203
253
T1075
205
OBFUS
165
T1132
162
EXPLOIT
161
T1085
154
LINUX
146
T1178
134
T1097
134
METASPLOIT
112
T1053
111

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html