Valhalla Logo
currently serving 10250 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
APT_MAL_ViciousPanda_Chinoxy_Mar20_1
Detects Vicious Panda malware
30.03.2020
>
HKTL_PS_Octopus
Detects PowerShell Octopus Agent
30.03.2020
>
SUSP_Shellcode_Keyword_Mar20_3
Detects files with shellcode indicators
27.03.2020
SUSP_ShellExec_RunDLL_PowerShell_Combo
Detects suspicious combination of ShellExec_RunDLL with powershell
27.03.2020
>
SUSP_Shellcode_Keyword_Mar20_2
Detects unknown malware with shellcode
27.03.2020
APT_ME_Milum_Mar20_1
Detects strings used by Milum malware in-memory
27.03.2020
>
SUSP_Encoded_ReflectiveLoader
Detects encoded strings found in reflective loaders
27.03.2020
SUSP_Encoded_ShellCode
Detects encoded shellcode strings
27.03.2020
HKTL_Shellter_Payload_Mar20_1
Detects payload produced by Shellter
27.03.2020
>
HKTL_Shellter_Payload_Mar20_2
Detects Shellter samples
27.03.2020
>
HKTL_FRPSocks_Config
Detects configuration files used by FRP proxy service often used by attackers
27.03.2020
>
MAL_Unknown_PS1_Octopus_Dropper_Mar20_1
Detects unknown PowerShell Octopus dropper
27.03.2020
MAL_PS1_Octopus_Mar20_1
Detects PowerShell Octupus malware
27.03.2020
MAL_ELF_Shellcode_Injector_Mar20_1
Detects unknown Linux malware with shellcode
27.03.2020
MAL_Unknown_ReverseShell_Mar20_1
Detects unknown reverse shell samples
27.03.2020
>
MAL_Unknown_ReverseShell_Mar20_2
Detects unknown reverse shell samples
27.03.2020
>
MAL_Unknown_ReverseShell_Mar20_3
Detects unknown reverse shell samples
27.03.2020
>
MAL_Unknown_ReverseShell_Mar20_4
Detects unknown reverse shell samples
27.03.2020
>
SUSP_ECHO_IEX
Detects Hades maldoc process tree commands
25.03.2020
>
SUSP_BAT_Users_Public_Reference
Detects files with strange bat file references pointing to C:/Users/Public
25.03.2020
APT_RU_Sandworm_Mar20_1
Detects Hades maldocs
25.03.2020
>
APT_APT41_CN_CampNetscaler_Mar20_4
Detects APT41 helper scripts - file 1.txt
25.03.2020
>
APT_APT41_CN_CampNetscaler_Mar20_3
Detects APT41 service install script
25.03.2020
>
APT_APT41_CN_CampNetscaler_Mar20_2
Detects APT41 vmprotected meterpreter downloader
25.03.2020
>
APT_APT41_CN_CampNetscaler_Mar20_1
Detects strings found in APT41 attacks against Netscaler and Zoho ManageEngine Desktop Central
25.03.2020
>
APT_APT41_CN_Mar20_2
Detects malware used in APT41 campaign
25.03.2020
>
APT_APT41_CN_Mar20_1
Detects malware used in APT41 campaign
25.03.2020
>
APT_XHunt_Eye
Detects XHunt tool Eye
25.03.2020
>
APT_XHunt_Gon
Detects XHunt tool Gon
25.03.2020
>
APT_XHunt_LinkHide
Detects XHunt tool LinkHide
25.03.2020
>
APT_XHunt_Hisoka
Detects XHunt tool Hisoka
25.03.2020
>
APT_XHunt_Sakabota
Detects XHunt tool Sakabota
25.03.2020
>
APT_XHunt_Diezen
Detects XHunt tool Diezen
25.03.2020
>
APT_XHunt_Killua_C2_Commands
Detects XHunt tool Killua C2 communication
25.03.2020
>
APT_XHunt_Killua
Detects XHunt tool Killuna
25.03.2020
>
APT_XHunt_Generic_PaloAlto_Note
Detects XHunt tool Netero note
25.03.2020
>
MAL_PoshC2_Shellcode_Mar20
Detects Sharpv4 shellcode generated by PoshC2
25.03.2020
>
MAL_PoshC2_Implant_Mar20
Detects a dropped file from a PoshC2 implant
25.03.2020
>
MAL_Powershell_PowerHub_Downloader_Mar20
Detects a PowerHub downloader / AMSI disabler
25.03.2020
SUSP_Base64EncodedActiveX_Mar20
Detects a Base64 encoded call to ActiveX
25.03.2020

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
VT
SUSP_JS_Obfusc_JSFuck_Jan20_1
0.0
5787
>
SUSP_URL_Persistence_JS
0.0
24
>
MAL_ToTok_Android_APK
0.21
19
>
HKTL_Meterpreter_InMemory_Rule
0.23
13
>
SUSP_LNX_Base64_Decode_CommandLine
0.75
24
>
SUSP_LNX_PY_Binary
0.88
48
>
SUSP_Hex_Encoded_Executable_with_Padding
1.4
20
>
SUSP_Shellcode_Keyword_Mar20_3
1.44
18
>
SUSP_PS_Function_Combo_1
1.47
15
>
SUSP_Shellcode_Keyword_Mar20
1.57
21
>
EXPL_CVE_2020_0796_Keywords
1.7
30
>
EXPL_Office_TemplateInjection
1.72
25
>
EXPL_CVE_2020_0796_POC_Mar20_1
2.0
12
>
MAL_FakeCovid_Mar20_2
2.0
42
>
SUSP_Base64_Encoded_Hex_Encoded_Code
2.09
46
>
APT_MAL_DocDropper_Nov19_1
2.64
11
>
SUSP_Embedded_Decoy_Doc_Sep19
4.45
49
>
SUSP_Reversed_LOLBAS
5.0
24
>
SUSP_AMSI_ByPass_Strings
5.05
20
>
SUSP_JS_WindowChange_Dec19
6.08
471
>
WEBSHELL_CloakedAsPic_Feb20
6.5
32
>
SUSP_RevShell_CmdLine_Code
6.53
15
>
SUSP_VBA_FileSystem_Access
7.5
105
>
HKTL_COMahawk64
7.69
13
>
SUSP_Encoded_PS_W_Hidden
7.71
14
>
SUSP_Schtasks_TaskName_Short
7.76
38
>
SUSP_PHP_Obfuscation_GZ_Base64
7.95
19
>
Webshell_Awen_ASP_NET
8.59
17
>
HKTL_BeefXSSFramework_Dec19
8.94
178
>
SUSP_JS_var_OBFUSC
8.96
51
>

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
MAL_Unknown_Loader_Mar20_1
9
dd423c768564cb43f12e6eead4e2cad6dd2f321c6dfd98c2a59b32fb98d55522
>
MAL_Unknown_Loader_Mar20_1
10
0528393036e72e7fb44fa98f77fa04c65b425d873cdf6697db397ce7ce590608
>
MAL_Loaderx86_Feb18_1
10
0528393036e72e7fb44fa98f77fa04c65b425d873cdf6697db397ce7ce590608
>
SUSP_RAR_with_PDF_Script_Obfuscation
4
11f74d091bbb9b5b95726a2504c3c74ab1f21eeb621bcc1b161469aca4bac896
>
SUSP_AutoIt_CompScript_NET_Combo
12
ad3853a768f78570c1b4572fbaa2b109fd86a5a7f4d426d61f192870a1ed6dca
>
SUSP_Enigma_Protector
11
0d1fb2b3c439a6683f37e6ea69c932e3ed87630057749efb5957c222ab79cf9e
>
SUSP_ConfuserEx_Obfuscated_Gen
8
174910c1bebc9d3020741c31c427ea0c09b094fd9efec2d0f37009510170d254
>
SUSP_Base32Encoded_EXE
8
174910c1bebc9d3020741c31c427ea0c09b094fd9efec2d0f37009510170d254
>
SUSP_UPX_Autoit_Combo
9
5ca5a640238c0ba36fed413556ac2bef94a9521e2450de512c1260e026ae2888
>
SUSP_UPX_Autoit_Combo
9
b3fb968a187f9b7f5d5367ef6ae129c8fcf97dbec7b7723fd01b8d4a8a504f05
>
SUSP_Enigma_Protector
4
4a72bd2f1d1328b2ff90a01b9d244d95d528aec20b7298d9e9046cb30e28fd05
>
SUSP_UPX_Autoit_Combo
8
5cc66276a73d6ed6ff3134d8cfbca7f509f0aecb4eab7b7aa75f25d06279b2b2
>
SUSP_VBA_Project_Keyword_Feb19_1
1
87b8082bbbb1664d56e557a792b932b81a12343d267adf6431b887091e7328b6
>
SUSP_OfficeDoc_Macro_Indicator_Jun19_1
11
fc59f9c5cd53b2feb8e51849ee1e9ed3fda1c3f6cd1eac3a3a9444966a0deaac
>
SUSP_Enigma_Protector
5
6e97f99dcfdafb248349c6c53cf004d2c0bced947d0951b4885a29b47f5b22db
>
SUSP_ELF_LNX_UPX_Compressed_File
13
0afff427f746bac33a85b5f0dbce50c6279fe0ba1db40a1031cfd4a70e2834ae
>
MAL_AutoIt_Malware_Indicator_1
11
d0474579f78f0aa0dcf76111c06b4c2315fa1926877ffa792f942ffbfa856bed
>
SUSP_AutoIt_CompScript_NET_Combo
11
d0474579f78f0aa0dcf76111c06b4c2315fa1926877ffa792f942ffbfa856bed
>
SUSP_AutoIt_Malware_Indicator_1
11
d0474579f78f0aa0dcf76111c06b4c2315fa1926877ffa792f942ffbfa856bed
>
SUSP_AutoIt_Indicators_Feb19_4
14
4abba380138ffc5cfaed2273f8170861a29b21b79ef6a650e190746923eac47e
>

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
6823
EXE
4871
APT
2904
MAL
2874
HKTL
2595
DEMO
2450
T1100
1911
WEBSHELL
1880
SUSP
1414
CHINA
1048
SCRIPT
706
RUSSIA
413
T1086
409
MIDDLE_EAST
363
T1027
345
T1064
313
GEN
313
T1003
283
T1193
260
T1203
260
T1075
220
OBFUS
183
T1132
182
EXPLOIT
172
T1085
156
LINUX
154
T1178
140
T1097
140
METASPLOIT
114
T1050
113

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html