Valhalla Logo
currently serving 12027 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
APT_MAL_UNC2452_CobaltStrike_Cryptor_Jan21
Detects CobaltStrike beacons based on certain characteristics
21.01.2021
HKTL_SharpSphere_Jan21
Detects a hacktool to attack VCenter
21.01.2021
HKTL_CobaltStrike_Beacon_PE_Characteristics_Jan21
Detects CobaltStrike beacons based on certain characteristics
21.01.2021
HKTL_PUA_Procdump
Looks like SysInternals Procdump
21.01.2021
SUSP_LOG_Raindrop_Artefacts_Jan21_1
Detects suspicious PowerShell invocation matching a pattern as used by the group mentioned in Raindrop report
20.01.2021
MAL_LokiBot_Jan21_1
Detects LokiBot malware
20.01.2021
MAL_RANSOM_Egregor_Jan21_1
Detects Egregor Ransomware
20.01.2021
SUSP_Double_Base64_Encoded_Strings_Dec20_File
Detects strings that have been double encoded bas64 for obfuscation
19.01.2021
SUSP_Base64_Decode_Bash_Jan21
Detects suspicious bash base64 input decoded and directly executed
19.01.2021
SUSP_Bash_IO_TCP_Stream_Jan21
Detects suspicious bash input output redirection to a TCP socket
19.01.2021
SUSP_PY_Stager_Loader_Base64_Jan21_1
Detects suspicious Python loader using and directly executing base64 encoded code
19.01.2021
SUSP_macOS_Encoded_LittleSnitch_Jan21_1
Detects suspicious base64 encoded Little Snitch keyword as used in Empire stagers for macOS
19.01.2021
SUSP_macOS_MAL_Plist_Jan21_1
Detects suspicious Plist used by Empire and mentioned in talk by Patrick Wardle
19.01.2021
SUSP_LNX_SH_Commands_Jan21_1
Detects code often found in malicious scripts for the Linux platform
19.01.2021
SUSP_LNX_Encoded_Clear_History_Jan21_1
Detects suspicious base64 encoded code to clear the shell history
19.01.2021
APT_MAL_Donot_Characteristics_Jan21_1
Detects Donot malware samples
19.01.2021
APT_MAL_Raindrop_Jan21_1
Detects Raindrop malware based on the exports pattern
19.01.2021
SUSP_Encoded_GetCurrentThreadId_FileOnly
Detects encoded keyword - GetCurrentThreadId
19.01.2021
SUSP_Encoded_WriteProcessMemory_FileOnly
Detects encoded keyword - WriteProcessMemory
19.01.2021
MAL_LNX_Mirai_Jan21_1
Detects Mirai malware
19.01.2021
MAL_IceID_PNG_Payload_Files_Jan21_1
Detects IceID PNG payload files
19.01.2021
SUSP_HKTL_ShellCode_Loader_Jan21_1
Detects Shellcode Loaders based on certain characteristics
18.01.2021
SUSP_HKTL_ShellCode_Loader_Jan21_2
Detects Shellcode Loaders based on certain characteristics
18.01.2021
SUSP_HKTL_ShellCode_Loader_Jan21_3
Detects Shellcode Loaders based on certain characteristics
18.01.2021
SUSP_HKTL_ShellCode_Loader_Jan21_4
Detects Linux Shellcode Loaders based on certain characteristics
18.01.2021
MAL_Egregror_Loader_DLL_Jan21_1
Detects Egregor Ransomware loaders
18.01.2021
MAL_PS1_Ransomware_Payloads_Jan21_1
Detects obfuscated malicious PowerShell payloads
18.01.2021
MAL_PS1_Ransomware_Payloads_Jan21_2
Detects unknown PowerShell malware loaders
18.01.2021
MAL_Unknown_MARCUS_Jan21_1
Detects unknown malware named MARCUS and found on Virustotal
18.01.2021
HKTL_LNX_Shellcode_Loader_RC4_Jan21_1
Detects unknown shellcode loaders
18.01.2021
HKTL_VBA_ShellCode_Loader_Jan21_1
Detects unknown shellcode loaders
18.01.2021
HKTL_WIN_ShellCode_Loader_Jan21_2
Detects unknown shellcode loaders
18.01.2021
HKTL_ShellCode_Loader_Payload_x64_Jan21_1
Detects unknown shellcode loaders
18.01.2021
HKTL_Go_ShellCode_Loader_Jan21_1
Detects unknown shellcode loaders writte in Go
18.01.2021
HKTL_Covenant_Tasks_Jan21_1
Detects Covenant Task indicators
18.01.2021
HKTL_WIN_ShellCode_Loader_Jan21_3
Detects unknown shellcode loaders
18.01.2021
HKTL_AQUARMOURY_Brownie_Jan21_1
Detects AQUARMOURY Brownie
18.01.2021
HKTL_AQUARMOURY_Gnome_Generic_Driver_Jan21_1
Detects AQUARMOURY Generic Driver
18.01.2021
HKTL_AQUARMOURY_Loader_Jan21_1
Detects AQUARMOURY Loader
18.01.2021
HKTL_AQUARMOURY_ShellyCoat_Jan21_1
Detects AQUARMOURY payloads
18.01.2021

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
HKTL_PUA_LNX_TOR_Jan21_1
0.0
18
SUSP_BAT_Aux_Jan20_1
0.0
4633
HKTL_FRP_Apr20_1
0.43
21
EXPL_CVE_2020_0796_Keywords
0.73
103
WEBSHELL_O0_obfuscation_Feb20
0.9
21
HKTL_PUA_FRP_FreeReverseProxy
2.62
29
MAL_Script_Autoit_Taurus_Dropper_Sep20_1
3.5
16
WEBSHELL_suspEval_Mar20
3.57
776
MAL_HTML_Phishing_Dec20_1
3.97
72
SUSP_Encoded_Set_Alias
4.89
28
SUSP_LNK_Rundll32_AppData_Ref_Apr20_3
5.37
652
SUSP_OBFUSC_PS1_Bypass_Jun20_2
6.83
12
WEBSHELL_OBFUSC_Chopper_Encoded
7.69
52
SUSP_Encoded_SystemReflection_Assemly_Load
7.76
33
MAL_RANSOM_HTA_Info_Oct20_1
9.09
11
HKTL_Tool_FuzzySec_Indicator_Dec20_2
9.82
34
WEBSHELL_phpWhitespace_Feb20
10.1
89
HKTL_PEzor_Packer_Oct20_1
10.17
24
HKTL_PS1_CobaltStrike_PowerShell_Loader_Dec20_1
10.23
101
WEBSHELL_PHP_mini_Jul20
10.52
29
APT_MAL_CN_BronzeUnion_Apr20_3
10.61
23
HKTL_Tool_NoAmci
11.0
18
SUSP_PHP_Base64Encoded_Nov20
11.2
20
SUSP_Encoded_Convert_ToInt16
11.83
12
SUSP_Encoded_PowerShell_Class
12.2
49
SUSP_Modified_PEFile_Header_Anomaly
12.28
58
WEBSHELL_CloakedAsPic_Feb20
12.35
26
SUSP_Encrypted_Excel_With_Macros
12.8
15
HKTL_MSF_Keywords_Jul20_1
12.95
21
SUSP_Script_PS1_PE_Injection_Indicators_Jun20_1
13.17
23

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
MAL_Backdoor_Rifle_Feb19_1
1
aa2539541569e37aeb12713c33bdbbba1683da0dba7d4263c6752ee0b19fc181
SUSP_MalDoc_JS_Indicators_Nov20_1
11
be951f5cc4a0f0bc21f278176f18e2c0633c2f5917e6c72de2afb1a02137be5d
MAL_Gen_Unknown_Nov20_2
5
ec82e729fca6d1ca4ed49ea4799531aee54906e1556196f0aae6d9735f986ed7
SUSP_MalDoc_JS_Indicators_Nov20_1
9
94b4c39993f13c145726429536075e2b27f7a174734445f4ce23be92ee54055d
SUSP_XORed_URL_in_EXE
8
6802340ffafabc23ddeb8a741b77b99500bce757bbed6f16e50c2e2129475465
SUSP_XORed_URL_in_EXE
6
8eaf271bf12cb50a7dd3a738493d5738df2c08b0be6d9162c60fac4b11ea2c07
WEBSHELL_suspEval_Mar20
4
f31f2541e05506b77d588f0b62014a9ec8a46eccae5b15461153acc032deab29
CoinMiner_Strings
4
f31f2541e05506b77d588f0b62014a9ec8a46eccae5b15461153acc032deab29
SUSP_MalDoc_JS_Indicators_Nov20_1
11
528b642b0f44e1002dfc8693ebaae7acf7167608bd68e238f7374af03624190e
OpCloudHopper_Malware_3
1
4d31cde858b09fbba7104c0560320e84374c0a5e9a8a337cc512f6169f5b2506
HackTool_MSIL_KeeFarce_1
14
5f57a576c36b67692314bf7ea2de7d0b36b4bb1e7f79d95246107235c8b9f66a
MAL_RANSOM_HTA_Info_Oct20_1
8
ee7168037bdf576e9ad7433473963d4020e76206a4648ac25e27f0e49b3df99f
Disclosed_Hacktool_Set_Feb18_RansomwareInfo
8
ee7168037bdf576e9ad7433473963d4020e76206a4648ac25e27f0e49b3df99f
SUSP_MalDoc_JS_Indicators_Nov20_1
11
18411231aedc1042d4e359e38a641e31cbc3171380172590b98518dc8d6a5e48
HackTool_MSIL_KeeFarce_1
14
034d04ab245f89ebbdb2ab8bb9fae10be7e848d83f34666a580a74fdb5440835
SUSP_Enigma_Protector
6
93a2ed8c839a3c533a535e2dd1acb34cd32bba8af16fcd8d9494d92649ee14d2
SUSP_Encoded_WscriptShell
14
38189a6991c984156879fd7c6a2e4853e9edb2d00ea6b09128d63d61e99e3480
SUSP_Encoded_FromBase64String
1
7eaa5367cddc1523e149aa70c862b5f9cdc1792c6809e71947a25de17f380ac4
SUSP_Enigma_Protector
5
83f8850e1a74c38ef5f07e83a562d83a173c100b2b0547ef13456a1d8a3be5f8
SUSP_MalDoc_JS_Indicators_Nov20_1
10
04657621d67dd076b3df57971ef8b2e93f87852d12a258a5beb4e7a2c7606b9e

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
APT
3412
Malware
2965
Hacktools
2775
Webshells
1964
Threat Hunting
1820
Exploits
199

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020