Valhalla Logo
currently serving 9014 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
Casing_Anomaly_PsCredential
Detects PSCredential keyword with a suspicious casing
06.09.2019
APT_APT3_Bemstour
Detects APT3 Bemstour malware
06.09.2019
APT_MuddyWater_Dropped_VBS_Sep19_1
Detects obfuscated VBS dropped by MuddyWater Doc
06.09.2019
APT_MuddyWater_MalDoc_FW_Sep19_1
Detects lure doc framwork used by MuddyWater
06.09.2019
SUSP_JS_Obfuscation_Sep19_1
Detects a special JavaScript obfuscation
05.09.2019
MAL_Cerbu_Sep19_1
Detects Cerbu malware
05.09.2019
APT_MAL_Bitter_Malware_Sep19_1
Detects APT Bitter malware
05.09.2019
APT_Bitter_SFX_Sep19_1
Detects APT Bitter dropper SFX
05.09.2019
SUSP_VBA_AutoOpen_AppData_Combo
Detects suspicious combo of keywords in VBA file
04.09.2019
SUSP_Dropper_Keywords_ActiveX_Sep19
Detects keywords found in malicious droppers
04.09.2019
HKTL_PrivEsc_Mongoose_Sep4
Detects mongoose agent for linux and windows
04.09.2019
HKTL_SharPersist
Detects Hacktool SharpPersist
04.09.2019
HKTL_SharPersist_KeePass_Backdoor
Detects Hacktool SharpPersist Keepass Implant
04.09.2019
HKTL_QuarksPwDump_Keywords
Detects QuarksPwDump strings
04.09.2019
MAL_AgentTesla_PE_Sep4_
Detects Agent a Tesla Binary
04.09.2019
SUSP_Encoded_UserInitMprLogonScript
Detects encoded keyword - UserInitMprLogonScript
04.09.2019
SUSP_Nishang_Script_Keyword
Detects code used in Nishang PowerShell framework
03.09.2019
SUSP_Embedded_Decoy_Doc_Sep19
Detects embedded decoy documents
03.09.2019
SUSP_Scriptlet_Keyword_Combo_Sep19
Detects a suspicious scriptlet with different well-known keywords
03.09.2019
SUSP_JS_Window_MoveTo_NegativeValue
Detects a JavaScript that moves the window out of sight
03.09.2019
SUSP_HTML_sojson_encoded_Sep19
HTML File that is encoded by sojson and probably hidden
03.09.2019
HKTL_PS1_MSF_CheckVM
Detects a malicious PS1 script that evaluates the presence of virtual machine tools on the system
03.09.2019
MAL_Unknown_Sept19_1
Detects unknown malware samples
03.09.2019
MAL_TW_VBS_Sep19_1
Detects a malicious VBS script
03.09.2019
MAL_TinyNuke_NukeBot_Malware_Strings
Detects strings found in TinyNuke NukeBot malware
03.09.2019
MAL_BlackMoon_Sep19
Binary classified as BlackMoon variant downloaded by CHM loader
03.09.2019
MAL_CHM_LoaderComponent_Sep19
Loader via Compiled HTML and abuse of Windows Help function
03.09.2019
MAL_REG_LoaderComponent_Sep19
Adding Perflog.exe located in Recycle bin to registry
03.09.2019
MAL_NoobyProtect_Sep19
Binary classified as NoobyProtect trojan variant downloaded by CHM loader
03.09.2019
APT_NK_Kimsuky_VBS_Sep19_1
Detects malicious HTA used by Kimsuky group
03.09.2019
SUSP_Encoded_RegistryKey
Detects encoded registry key
03.09.2019
SUSP_JS_Keywords_Combo_Sep19_1
Detects suspicious combination of keywords used in malicious JavaScript codes
02.09.2019
SUSP_DLL_Dropper_Keyword
Detects DLL Dropper with generic rule
02.09.2019
MAL_Gh0stcringe_RAT_Sep19
Detects a variant of the Gh0stCringe RAT
02.09.2019
MAL_RAT_MALSPAM_PE_Sep19
Detects malicious RAT PE which was sent via Spammail
02.09.2019
APT_NK_Kimsuky_Sep19_1
Detects malware used by Kimsuky threat group
02.09.2019
APT_NK_Kimsuky_Sep19_2
Detects malware used by Kimsuky threat group
02.09.2019
APT_NK_Kimsuky_Sep19_3
Detects malware used by Kimsuky threat group
02.09.2019
APT_NK_VBS_Unknown_Sep19_1
Detects malicious VBScript used by NK actor
02.09.2019
SUSP_Encoded_DownloadData
Detects encoded keyword - DownloadData
02.09.2019

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
SUSP_CompileAfterDelivery_T1500
0.33
18
SUSP_PS_Base64_CWB_String
0.38
16
SUSP_Base64_Encoded_ELF_Binary
0.73
11
SUSP_LNX_Base64_Decode_CommandLine
1.73
37
SUSP_SwearWord_in_Code
2.39
83
HKTL_SilentTrinity_PS1_Posh_Stager
2.73
15
SUSP_Obfuscated_JAR_Allatori
2.92
13
SUSP_RevShell_CmdLine_Code
3.05
19
SUSP_AMSI_ByPass_Strings
3.44
16
Webshell_ASP_Tiny
4.0
12
SUSP_Keyword_HideDLL
4.93
15
SUSP_Encoded_IEX_2
5.35
429
SUSP_Embedded_Decoy_Doc_Sep19
5.44
77
SUSP_Nishang_Script_Keyword
5.54
70
PUA_APT_Chafer_xCmdSvc_Jan19_1
6.73
22
SUSP_PHP_Obfuscation_GZ_Base64
8.42
12
SUSP_WinScriptHost_MyScript_Combo
8.55
11
SUSP_Microsoft_Typo
8.75
12
MAL_macOS_PY_Agent_Jul19_1
8.99
89
SUSP_Base64_Certutil
9.16
383
SUSP_JS_Window_MoveTo_NegativeValue
9.25
24
SUSP_Netsh_PortProxy_Command
9.62
86
SUSP_PS2EXE_PowerShell2Exe_2
9.75
68
SUSP_PS1_Obfuscated_Payload_Feb19_1
10.14
29
SUSP_CryptoObfuscator
10.22
54
SUSP_OfficeDoc_DropperStrings_Dec18_1
10.4
30
SUSP_Base64_Encoded_E_IEX
10.46
130
SUSP_RAR_with_PDF_Script_Obfuscation
10.86
66
SUSP_JS_ChrW_Obfuscation
10.89
108
SUSP_JS_StartupFolder_Ref
11.0
20

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
PEFILE_Header_but_no_DOS_Header
11
0a97fe182728dbefdea1fa9c8d7f658b5b42c4de97fc335e25420fc289d3b267
SUSP_OfficeDoc_Kernel32_Imports
4
84bd2a494ef6c11fb506cad68fd2e632cc4015bf20e88109d262d2722cff774a
SUSP_OfficeDoc_Kernel32_Imports
4
70e24b11d5d96b24b42b06cc9294c35e3dd69abe7281113fee1cb865aa2c5803
SUSP_Base64_Encoded_E_IEX
11
11894591390ae03d04da5646ae926eb2f42d19a328b7e7d720858a6110bdfdbd
SUSP_Netsh_PortProxy_Command
11
11894591390ae03d04da5646ae926eb2f42d19a328b7e7d720858a6110bdfdbd
SUSP_Encoded_PS1_Command
11
11894591390ae03d04da5646ae926eb2f42d19a328b7e7d720858a6110bdfdbd
SUSP_Base64_Encoded_E_IEX
10
4ab09265dca34a40baa08dc29c4ed3e60d5b1583eaceb894af5002d44b92b896
SUSP_Netsh_PortProxy_Command
10
4ab09265dca34a40baa08dc29c4ed3e60d5b1583eaceb894af5002d44b92b896
SUSP_Encoded_PS1_Command
10
4ab09265dca34a40baa08dc29c4ed3e60d5b1583eaceb894af5002d44b92b896
SUSP_AutoIt_Indicators_Feb19_4
9
b668f39946a3caddea299e84d1ad9c5d8a89de3f4af7adb3112e4af93c1de6bf
SUSP_OfficeDoc_Kernel32_Imports
4
0d50bf1d2d70fb8b683f3b883e69bdc668e5a6dee19cee529b95caf3e9ef58ac
SUSP_AutoIt_Indicators_Feb19_4
9
b6145287c251167e6917349fd2db811b8899071018ea3c4e7b4208d4f922c409
SUSP_AutoIt_Indicators_Feb19_4
11
9e2a43cc3b2133aa35a1e84ea88f48587078522415778e6b7c00b49ef1f1a266
SUSP_AutoIt_Indicators_Feb19_4
9
4abea67d3205f1c58f9669abb1e210f40719ed9cddc7278db628326c886b4a5b
SUSP_OfficeDoc_Kernel32_Imports
4
82f198d87a5b00033276047a79185e02be844e13d385b4d28d5625e9912babb9
SUSP_AutoIt_Indicators_Feb19_4
10
d57f53c09ac833f9df2b5a96c0fd9475579e08d08d9fa4f72653ed554e81ca37
SUSP_AutoIt_Indicators_Feb19_4
11
ff5e1424b7c8acd7a805c7d837ef15be68b1af72106456b46d4208b8c71ac60c
SUSP_AutoIt_Indicators_Feb19_4
9
e33bf186a92a9e7ea67cce993f58e7a724328d403a39b86a2efc588e867f4a9a
SUSP_VMProtect_File
6
dc20c6f8ff7a475e8bbdcd70604572d5afdaf1410ce8e99db0e9717149173eae
MO_Unknown_Malware_Laz
11
a88160185c2e0147d4aa4387aa648f93dab1a99ea9d34a2054404bbc9a6ad58d

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
5961
EXE
4288
MAL
2536
APT
2521
DEMO
2429
HKTL
2307
T1100
1800
WEBSHELL
1778
SUSP
1108
CHINA
992
SCRIPT
621
RUSSIA
382
MIDDLE_EAST
331
T1086
326
T1064
308
GEN
301
T1027
288
T1003
265
T1203
236
T1193
236
T1075
190
T1132
150
OBFUS
141
EXPLOIT
140
T1085
138
LINUX
135
T1178
134
T1097
134
METASPLOIT
107
T1050
105

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html