Valhalla Logo
currently serving 8696 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
Casing_Anomaly_Kernel32_DLL
Detects casing anomaly in kernel32.dll string
20.07.2019
SUSP_Keywords_Caret_Obfuscation
Detects common keywords used in malicious scripts obfuscated with carets
20.07.2019
SUSP_PowerShell_Caret_Obfuscation_2
Detects powershell keyword obfuscated with carets
20.07.2019
SUSP_OfficeDropper_Inject_Jul19_1
Detects suspicious Office dropper using DLL injection method
20.07.2019
HKTL_Cain_Abel_EXE_Jul19_1
Detects variant of Cain and Abel tool
19.07.2019
Webshell_PHP_Assertarray_Jul19
Detects Webshells which try to hide by using Arrays
19.07.2019
MAL_NET_Unknown_Cryptor_Jul19_1
Detects Unknown .NET Cryptor
19.07.2019
MAL_macOS_PY_Agent_Jul19_1
Detects unknown Pyton based macOS agent
19.07.2019
MAL_RAT_BlackNix_Jul19_1
Detects BlackNix RAT
19.07.2019
SUSP_APT_CN_PDB_MissLL_Indicator
Detects MissLL indicator in file
19.07.2019
SUSP_PWD_Dumper_String_Cain
Detects string from password dumper tool Cain
19.07.2019
SUSP_NET_PowerShell_Combo
Detects suspicious .NET executable with PowerShell content
19.07.2019
SUSP_Recon_Script_Jul19
Detects possible reconnaissance script or administrative script to evaluate system information
19.07.2019
APT_MAL_CN_MissLL_Malware
Detects MissLL malware
19.07.2019
APT_MAL_CN_MissLL_InjectDLL
Detects malware used by Chinese threat group
19.07.2019
APT_APT34_PICKPOCKET_Malware_Jul19_1
Detects APT34 PICKPOCKET malware
19.07.2019
APT_APT34_VALUEVAULT_Jul19_1
Detects APT34 VALUEVAULT malware
19.07.2019
APT_ATP34_LONGWATCH_Jul19_1
Detects APT34 LONGWATCH malware
19.07.2019
MAL_ME_RAR_SFX_Dropper_Jul19_1
Detects malicious RARSFX dropper used in Middle Eastern attacks
18.07.2019
MAL_StrongPity_Jul19_1
Detects StrongPity malware noticed in July 2019
18.07.2019
SUSP_RARSFX_ExtractionPath_Startup
Detects a suspicious RARSFX that extracts files to the Startup folder
18.07.2019
APT_ElectricPowder_May19_1
Detects Electric Powder malware noticed in May 2019
18.07.2019
APT_MAL_Ke3chang_Ketrican_Jul19_1
Detects Ke3chang Ketrican malware
18.07.2019
APT_MAL_Ke3chang_Ketrican_Jul19_2
Detects Ke3chang Ketrican malware
18.07.2019
APT_MAL_Ke3chang_Ketrican_Jul19_3
Detects Ke3chang Ketrican malware
18.07.2019
APT_MAL_Ke3chang_Okrum_Jul19_2
Detects Ke3chang Okrum malware
18.07.2019
APT_MAL_Ke3chang_Okrum_PNG_Embedded_DLL
Detects Okrum Stego PNG with encrypted embedded DLL
18.07.2019
APT_MAL_Ke3chang_Okrum_Jul19_1
Detects Ke3chang Okrum malware
18.07.2019
EXPL_CVE_2018_8174_Jul19_1
Detects exploit code for CVE-2018-8174
17.07.2019
MAL_ME_Wiper_Malware_Jul19_1
Detects unknown wiper malware
17.07.2019
MAL_SLUB_PS1_Loader_Jul19_1
Detects SLUB PowerShell Loader
17.07.2019
MAL_SH_EvilGnome_Jul19_1
Detects EvilGnome malware shell script linked to Gamaredon group
17.07.2019
MAL_ELF_EvilGnome_Jul19_1
Detects EvilGnome malware linked to Gamaredon group
17.07.2019
SUSP_Certutil_Copy
Detects a command that copies certutil.exe to a different location on disk
17.07.2019
SUSP_LNX_Base64_Decode_CommandLine
Detects nothing more than a suspicious pipe into base64 that outputs into a file
17.07.2019
SUSP_LNX_Compact_Code_Statement
Detects a suspicious compact form to write shell commands often used in expoit codes
17.07.2019
APT_KONNI_OfficeDoc_Dropper_Jul19_1
Detects Office document malware possibly used by KONNI group
17.07.2019
APT_KONNI_VBS_Jul19_1
Detects persistence helper VBS possibly used by KONNI group
17.07.2019
APT_KONNI_VBS_Jul19_2
Detects download helper VBS possibly used by KONNI group
17.07.2019
APT_KONNI_BAT_Jul19_1
Detects helper BAT possibly used by KONNI group - file no1.bat
17.07.2019

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Casing_Anomaly_ExecuteRequest
0.0
18
SUSP_NET_Cmdline_AppData_Local_Temp
0.0
11
SUSP_Office_Dropper_Strings
0.32
37
SUSP_PS_Base64_CWB_String
0.8
15
MAL_Webshell_Mini_PHP
1.0
14
SUSP_LNX_Base64_Decode_CommandLine
1.19
52
SUSP_Obfuscated_VBS_Feb19_1
1.75
12
SUSP_Encoded_IEX_2
1.91
2875
SUSP_JS_Run_Chr_Code
2.05
332
SUSP_JS_ChrW_Obfuscation
2.06
412
SUSP_Encoded_NewObject_NetWebclient
2.29
3297
SUSP_Netsh_PortProxy_Command
2.37
778
SUSP_Base64_Encoded_E_IEX
2.58
1176
SUSP_SwearWord_in_Code
2.81
113
Casing_Anomaly_FromBase64String
3.38
24
Casing_Anomaly_SystemConvert
3.44
16
SUSP_AMSI_ByPass_Strings
3.53
17
SUSP_JS_StartupFolder_Ref
3.95
19
MAL_MacroDropper_Jan18_1
4.05
21
SUSP_Obfuscated_JAR_Allatori
4.43
14
MAL_RemCom_Backdoor_RemoteAccess
4.92
13
SUSP_VBA_Macro_WScript_KernelDLL_May19_1
5.23
13
SUSP_RevShell_CmdLine_Code
5.38
13
SUSP_Base64_Encoded_Hex_Encoded_Code
5.49
150
SUSP_PHP_Obfuscation_GZ_Base64
7.15
13
SUSP_Caret_Obfuscation_2019_01_11
7.25
16
SUSP_Encoded_PS_DownloadString
7.45
38
SUSP_Base64_Encoded_PS_Keyword
7.55
11
Webshell_GIF_Cloaked_PHP_Webshell
7.82
11
HKTL_Koadic_XLS_Template
7.89
57

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
MAL_MS_Doc_Embedded_OLE_PE
13
b330fffa308df1988f2020af063eccff6196d47d0f8f2a44575acfd4fd5f4112
SUSP_Hex_Encoded_Scriptlet_Strings
13
b330fffa308df1988f2020af063eccff6196d47d0f8f2a44575acfd4fd5f4112
SUSP_JS_Run_Chr_Code
2
ca7b92f118b96e2b9f9464e2fc0469047e1bfb2e3c5ca345382b6f9796538fe7
SUSP_JS_ChrW_Obfuscation
2
ca7b92f118b96e2b9f9464e2fc0469047e1bfb2e3c5ca345382b6f9796538fe7
SUSP_AutoIt_Malware_Indicator_1
7
55043670ee0c7d5ac7b06c640a8a4668f4d009ebe010d4858a31a4b4777b2dc9
SUSP_AutoIt_CompScript_NET_Combo
7
55043670ee0c7d5ac7b06c640a8a4668f4d009ebe010d4858a31a4b4777b2dc9
MAL_AutoIt_Malware_Indicator_1
7
55043670ee0c7d5ac7b06c640a8a4668f4d009ebe010d4858a31a4b4777b2dc9
MAL_Loaderx86_Feb18_1
8
77d1ad9087f2d59b55b6c6b56dde15407626cd8c10aa0d5cf86e3d0f14882275
SUSP_JS_ChrW_Obfuscation
2
7f9ac4f61b0b15d01e26b7cf7c818e49c2ae16adb0f29c5747642e0f2e848bbc
SUSP_JS_Run_Chr_Code
2
7f9ac4f61b0b15d01e26b7cf7c818e49c2ae16adb0f29c5747642e0f2e848bbc
SUSP_Base64_Encoded_C_Powershell
2
0b1087fb32af4f9eba1450c4173a7247d0137d0f450eae1d999a4d25be621f48
SUSP_CryptoObfuscator
13
a29b9d9db4978aa03bacc6da012a97d81d0d7beb1c282e0e28032fc35c189432
SUSP_JS_ChrW_Obfuscation
2
b363c08996b9070a01d02b938838bbc224414d96204f3cec3eceab8fd6d87c59
SUSP_JS_Run_Chr_Code
2
b363c08996b9070a01d02b938838bbc224414d96204f3cec3eceab8fd6d87c59
SUSP_RAR_with_PDF_Script_Obfuscation
6
eb86487b42023200c65589abed2d7e9de38df185cf94c50799232be4ad93a5c4
VBS_suspicious
1
7be94a7bc8831620371e379773b9d7fbb2acbd271a00215bdf0c2cb3715d2b9b
SUSP_MZ_DefaultStub_in_Encoded_Form
4
7a5b335efa326c2d0b58477966af18e551e47367c277abccc0e756fd06db4b3b
SUSP_WScript_Shell_Cut
13
0c9957047e81d1d6a3b8e85992d3987ac75f7a631fa634874e91621266c9be46
MAL_MS_Doc_Embedded_OLE_PE
13
0c9957047e81d1d6a3b8e85992d3987ac75f7a631fa634874e91621266c9be46
SUSP_Hex_Encoded_Scriptlet_Strings
13
0c9957047e81d1d6a3b8e85992d3987ac75f7a631fa634874e91621266c9be46

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
5743
EXE
4128
APT
2427
MAL
2420
DEMO
2420
HKTL
2252
T1100
1799
WEBSHELL
1777
SUSP
1025
CHINA
980
SCRIPT
599
RUSSIA
364
MIDDLE_EAST
324
T1086
312
T1064
307
GEN
301
T1027
266
T1003
261
T1203
224
T1193
224
T1075
190
T1132
142
EXPLOIT
136
OBFUS
136
T1178
134
T1097
134
T1085
134
LINUX
129
METASPLOIT
107
T1050
101
Error: Embedded README could not be displayed.

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html