Valhalla Logo
currently serving 11612 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
APT_MalDoc_NK_HiddenCobra_Indicators_Nov20_1
Detects files with Hidden Cobra indicators
11.11.2020
MAL_RANSOM_Pay2Key_Ransomware_Nov20_1
Detects Pay2Key Ransomware
11.11.2020
MAL_LNX_RANSOM_RansomEXX_Nov20_1
Detects RansomEXX Ransomware
11.11.2020
SUSP_Tiny_PowerShell_Execution_File
Detects a suspiciously small file with a powershell invocation
11.11.2020
SUSP_MalDoc_Indicator_VBA_Nov20_1
Detects a suspicious indicator found in malicious VBA scripts
11.11.2020
SUSP_Protonmail_in_Executable
Detects suspicious protonmail.ch address in executable
11.11.2020
HKTL_CobaltStrike_BOH_ScShell_Nov20_1
Detects indicators for a BOH version of ScShell
11.11.2020
HKTL_StandIn_Nov20_1
Detects StandIn - a small AD post-compromise toolkit
11.11.2020
APT_MAL_RU_TA505_Nov20_1
Detects TA505 malware samples
10.11.2020
MAL_Gen_Unknown_Nov20_1
Detects unknown malware samples
10.11.2020
MAL_Gen_Unknown_Nov20_2
Detects unknown malware samples
10.11.2020
APT_MAL_VN_OceanLotus_DLL_Nov20_1
Detects OceanLotus malware
09.11.2020
APT_MAL_VN_OceanLotus_RAR_Nov20_1
Detects files with similarity to RAR archives used by Ocean Lotus to ship malicious files
09.11.2020
APT_MAL_APTC44_Nov20_1
Detects malware used by APT-C-44 (Algerian Cyber Unit)
09.11.2020
APT_ME_PS1_XHunt_Nov20_1
Detects samples mentioned in xHunt report
09.11.2020
APT_SUSP_ME_Encoded_Whoami_XHunt_Nov20_1
Detects encrypted string as mentioned in xHunt report
09.11.2020
APT_RoyalRoad_WMF_Nov20_1
Detects 8.t RoyalRoad WMF files
09.11.2020
SUSP_Base64_Encoded_WhomAmI
Detects suspicious encoded whoami string that is a program to evaluate the current user name and often used in malcious or benign recon scripts
09.11.2020
SUSP_Base64_Encoded_WhomAmI_Wide
Detects suspicious encoded whoami string that is a program to evaluate the current user name and often used in malcious recon scripts
09.11.2020
SUSP_Base64_Encoded_WebLogic_Decoder
Detects suspicious base64 encoded WebLogic Base64Decode as often found in malicious code
09.11.2020
APT_MAL_LNX_UNC1945_Nov20_1
Detects UNC1945 linux malware
06.11.2020
MAL_LNX_SSHD_Backdoor_Nov20_1
Detects a Linux SSH backdoor
06.11.2020
MAL_LNX_Calypso_Nov20_1
Detects Calypso malware
06.11.2020
SUSP_MalDoc_Macro_Indicators_Nov20_1
Detects indicators of malicious Macros in Office documents
06.11.2020
SUSP_Double_Base64_Encoded_MSDOS_Stub_Nov20
Detects double base64 encoded MSDOS Stub in file
06.11.2020
SUSP_Triple_Base64_Encoded_MSDOS_Stub_Nov20
Detects triple base64 encoded MSDOS Stub in file
06.11.2020
MAL_MalDoc_CS_Loader_Nov20_1
Detects malicious documents found in a campaign with CobaltStrike payloads
05.11.2020
MAL_Dropper_Unknown_CS_Nov20_1
Detects suspicious droppers with CobaltStrike payloads
05.11.2020
EXPL_CVE_2020_14871_Nov20
Detects PoC code for CVE-2020-14871
04.11.2020
SUSP_ShellCode_x86_Bind_TCP_1337
Detects x86 bindshell code for port 1337
04.11.2020
APT_MAL_VN_OceanLotus_Dropper_RAR_Nov20_1
Detects OceanLotus droppers
03.11.2020
APT_MAL_UNC1945_Nov20_1
Detects UNC1945 malware
03.11.2020
APT_MAL_LNX_UNC1945_Nov20_3
Detects UNC1945 malware
03.11.2020
APT_UNC1945_SSH_Config_Nov20_1
Detects ssh config settings as used by UNC1945
03.11.2020
APT_UNC1945_ForensicArtefacts_Nov20_1
Detects forensic artefacts as reported in UNC1945 report
03.11.2020
APT_UNC1945_PortScanner_Nov20_1
Detects linux hacktools as mentioned in UNC1945 report
03.11.2020
APT_MalDoc_Donot_Note_Nov20_1
Detects phishing doc note used by Donot APT malicious office droppers
03.11.2020
EXPL_CVE_2017_11882_Nov20
Detects suspicious RTF documents with indicators found in documents that exploit CVE-2017-11882
03.11.2020
MAL_ComSpy_CobaltStrike_Nov20_1
Detects CobaltStrike Loader ComSpy
03.11.2020
SUSP_MalDoc_JS_Indicators_Nov20_1
Detects suspicious document with
03.11.2020

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
SUSP_JS_Obfusc_JSFuck_Jan20_1
0.0
11
SUSP_BAT_Aux_Jan20_1
0.0
2058
EXPL_CVE_2020_0796_Keywords
0.05
43
WEBSHELL_O0_obfuscation_Feb20
0.48
50
WEBSHELL_PHP_Assert_Gen_Oct20
1.82
11
WEBSHELL_ASPX_MamadWarning_Jul20_1
3.2
15
HKTL_CobaltStrike_Beacon_Indicators_Aug20_2
4.38
21
WEBSHELL_suspEval_Mar20
5.26
556
WEBSHELL_OBFUSC_Chopper_Encoded
6.0
44
WEBSHELL_PHP_mini_Jul20
6.43
23
WEBSHELL_CloakedAsPic_Feb20
6.86
21
SUSP_Modified_PEFile_Header_Anomaly
8.0
15
HKTL_PEzor_Packer_Oct20_1
8.41
17
SUSP_Encrypted_Excel_With_Macros
8.76
46
HKTL_Empire_Agent_inMemory_Jul20_1
8.89
63
WEBSHELL_phpWhitespace_Feb20
10.04
85
HKTL_MSF_Keywords_Jul20_1
10.62
13
SUSP_JS_WindowChange_Dec19
10.79
68
MAL_Payload_F5_BIG_IP_Exploitations_Jul20_1
12.2
25
MAL_PHP_Meterpreter_Jun20
12.36
14
HKTL_Empire_Stager_Jul20_1
12.48
90
HKTL_Go_Shellcode_Loader_Apr20_1
15.14
21
HKTL_CSharp_MSBuild_CodeExecution_Jun20
15.77
83
SUSP_Encoded_PowerShell_Class
16.55
22
HKTL_Empire_Stagers_Gen_Dec19_1
16.63
65
HKTL_CS_PS1_Beacon_Aug20_1
17.0
16
HKTL_JS_OBFUSC_Loader_Indicators_Oct20_1
17.08
1255
WEBSHELL_PHP_POST_CommandReplace_Gen_Oct20
17.67
15
SUPS_MAL_Packer_Oct20_1
18.08
88
HKTL_Beacon_Analysis_Oct20_2
18.82
11

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_XORed_URL_in_EXE
8
9e17401dd42a5cf4b717da5a56491065896b4ed9147ba90fbbb68d798c10f33f
SUSP_Excel4Macro_AutoOpen
2
e0fbb4728e8c3dd6ddfd0a164418e449991db8c8dee12308cd1eccebb55f51c8
SUSP_Shellcode_Apr20_2
10
bbcf2e1bd59c9e7468f530b9254d74ba630e731c880b033eeb8f2f5ede5350be
SUSP_XORed_URL_in_EXE
6
69577be37cbab1bcc58b62958163bfd2962aa64a943199ed168da9708a2807f2
SUSP_MZ_PE_Header_Anomaly
7
53c3d8289eb7f2b195c4f7d906091e2419e57811149646567f4a1c8daba0be58
Webshell_config_jsp
12
d1a2aa25adfc41748de117c4a6db1a319ff9b51e8828a095b05357cb8b4dcdae
Webshell_JSPX_Cknife_1
12
d1a2aa25adfc41748de117c4a6db1a319ff9b51e8828a095b05357cb8b4dcdae
CN_jsp_Webshell
12
d1a2aa25adfc41748de117c4a6db1a319ff9b51e8828a095b05357cb8b4dcdae
SUSP_Obfuscation_ChrW_Feb19_1
1
67e023f53e1e6472ba002558433bceb2d7e763fe724ccae40f4d4fca6e7b8aec
SUSP_Obfuscation_ChrW_Feb19_1
1
d020f1e6db22272b8bc8593639e9870a32de9b71084372a378326fb086ef223e
SUSP_OfficeDoc_Macro_Indicator_SubAutoOpen_Jun19_2
2
cda2706e22fe242be9f169f0759384f107af6e43473685c7b867c4fe20dd0355
APT_CN_JSP_Shack2_Webshell_Apr20_1
7
d0ad85e652e2c6091af6f347aef9e918c954580609f715e376226edd12b5bc15
HKTL_JS_OBFUSC_Loader_Indicators_Oct20_1
3
0e5219747dd28946fd178a6b18c3d872c041d2334c81f0039b3b62645d2d4f8b
SUSP_Obfuscated_JAR_Allatori
14
639cea8f377887803e3c7b3066e24cf4970d4d869ad24ba460457b0e2c21f0a2
CoinMiner_Strings
5
4e3a97c89b8dbd4b9415ec2f14e251fa3227ff13962e8a41cfed2e8cd5ac36a7
SUSP_Obfuscation_ChrW_Feb19_1
1
7b94e0c307ad60e3cd9a4a7eb24710ee57a6d4253692da99588f929da1439b57
SUSP_AutoIt_CompScript_NET_Combo
9
26f6727131a69186bd0700dd70eb625fb48cc641e789f3e8c348b15fe12ff25e
SUSP_AutoIt_CompScript_NET_Combo
9
9ec824ea6f5f0813217398d8f27c21e3bb11a887b1fb667673020190481ab1d5
SUSP_MZ_DefaultStub_in_Encoded_Form
1
6cfa952d18bdf6bedf272ddace8d75a16965d9e4b8c8e5a1691ae593111a9a16
SUSP_ShellCode_Variable
1
6cfa952d18bdf6bedf272ddace8d75a16965d9e4b8c8e5a1691ae593111a9a16

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
APT
3386
Malware
3177
Hacktools
2972
Webshells
1944
Threat Hunting
1719
Exploits
219

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020