Valhalla Logo
currently serving 10045 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
SUSP_Ncat_Like_Cmd
Detects a cmd.exe run via -e parameter, as used in ncat to execute certain binaries
25.02.2020
>
MAL_CloudSnooper_Win_Feb20_1
Detects Cloud Snooper Windows malware
25.02.2020
>
MAL_ELF_Snoopy_Feb20_1
Detects Cloud Snooper Snoopy malware
25.02.2020
>
MAL_Unknown_Packer_Feb20_1
Detects unknown packer used for a CobaltStrike loader
25.02.2020
>
LOG_Snoopy_Feb20_1
Detects Snoopy malware syslog messages
25.02.2020
>
EXPL_CVE_2020_0668_PrivFileMove
Detects unknown packer used for a CobaltStrike loader
25.02.2020
>
HKTL_EXPL_DiagHub
Detects Diaghub a tool that loads a custom dll in system32
25.02.2020
>
APT_MAL_Winnti_Feb20_1
Detects Winnti malware
25.02.2020
>
APT_MAL_Turla_Carbon_Implant_Feb20_1
Detects Turla Carbon (stage 2) implants
25.02.2020
>
MAL_ObliqueRAT_Feb20_1
Detects ObliqueRAT malware
24.02.2020
>
MAL_Netsha_Feb20_1
Detects Netsha malware
24.02.2020
MAL_CN_Unknown_Feb20_1
Detects unknown malware used by Chinese actors
21.02.2020
>
WEBSHELL_Caido_Feb20
Detects Caido Webshell
21.02.2020
>
WEBSHELL_ashx_Feb20
Detects various .ashx webshells
21.02.2020
>
WEBSHELL_ascx_Feb20
Detects various .ascx webshells
21.02.2020
>
WEBSHELL_PHPEval_Feb20
Detects a Webshell that hides as a hexdump
21.02.2020
WEBSHELL_CloakedAsPic_Feb20
Detects an webshell that is cloaked as a picture
21.02.2020
MAL_SamSam_Feb20_2
SamSam2 Ransomware
20.02.2020
>
MAL_SamSam_Feb20_1
SamSam1 Ransomware
20.02.2020
>
MAL_SamSam_Feb20_3
SamSam4 Ransomware
20.02.2020
>
HKTL_weblogicScanner_Feb20_1
JS-based scanner for web vulnerabilities
20.02.2020
>
HKTL_weblogicScanner_Feb20_2
JS-based scanner for web vulnerabilities
20.02.2020
>
HKTL_weblogicScanner_Feb20_3
JS-based scanner for web vulnerabilities
20.02.2020
>
HKTL_weblogicScanner_Feb20_4
JS-based scanner for web vulnerabilities
20.02.2020
>
APT_HiddenCobra_Electricfish_Feb20_1
Detects Electricfish malware from HiddenCobra
19.02.2020
>
SUSP_ComSvcs_DLL_MiniDump_CommandLine
Detects a suspicious command line making use of comsvcs.dll's exported function MiniDump to dump a process' memory
18.02.2020
>
SUSP_JS_Obfuscaton_Feb20_1
Detects a JavaScript obfuscation
18.02.2020
>
SUSP_JS_Var_A_HTTP_Header_Feb20_1
Detects a JavaScript file starting with a variable declaration and URL
18.02.2020
>
Webshell_Unknown_Feb20_18
Detects an unknown webshell
18.02.2020
Webshell_ASPSpyder_Feb20_1
Detects ASPSpyder webshell
18.02.2020
Webshell_PHP_Feb20_17
Detects obfuscated PHP webshell
18.02.2020
MAL_MSIL_Agent_Kazuar_Feb20_2
Detects Kazuar malware
18.02.2020
>
MAL_ME_Holmium_Feb20_1
Detects Holmium malware with Middle Eastern origin
18.02.2020
>
Webshell_Unknown_Feb20_4
Detects an unknown webshell
18.02.2020
Webshell_Unknown_Feb20_3
Detects an unknown webshell
18.02.2020
Webshell_Unknown_Feb20_2
Detects an unknown webshell
18.02.2020
Webshell_Unknown_Feb20_1
Detects an unknown webshell
18.02.2020
Webshell_Unknown_ASP_Feb20_1
Detects unknown ASP webshell
18.02.2020
Webshell_Unknown_ASPX_Feb20_1
Detects unknown ASPX webshell
18.02.2020
WEBSHELL_FoxKitten_Feb20_1
Detects Fox Kitten webshell
18.02.2020
>

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
VT
SUSP_BAT_Aux_Jan20_1
0.0
3191
>
MAL_ToTok_Android_APK
0.74
19
>
SUSP_JS_Obfusc_JSFuck_Jan20_1
0.77
300
>
HKTL_Meterpreter_InMemory_Rule
0.81
16
>
APT_MAL_ME_OfficeDoc_Macro_Jun19_1
0.98
83
>
EXPL_Office_TemplateInjection
1.54
37
>
SUSP_Base64_Encoded_Hex_Encoded_Code
2.45
20
>
SUSP_PHP_Obfuscation_GZ_Base64
3.5
14
>
SUSP_VBA_Macro_WScript_KernelDLL_May19_1
3.73
11
>
SUSP_LNX_PY_Binary
4.11
18
>
SUSP_Embedded_Decoy_Doc_Sep19
4.98
65
>
SUSP_Hex_Encoded_Executable_with_Padding
5.67
21
>
HKTL_PS_InvokeShellCode
5.87
15
>
SUSP_JS_var_OBFUSC
7.47
19
>
HKTL_BeefXSSFramework_Dec19
8.07
15
>
SUSP_JS_WindowChange_Dec19
8.27
148
>
SUSP_AMSI_ByPass_Strings
8.59
17
>
HKTL_Koadic_JS_Stage
10.2
15
>
HKTL_Metasploit_Indicators
10.59
22
>
HTKL_MetasploitPayload_Android
10.83
18
>
SUSP_JS_ChrW_Obfuscation
11.0
11
>
HKTL_Meterpreter_JS
11.38
16
>
SUSP_JS_Window_MoveTo_NegativeValue
11.65
17
>
MAL_macOS_PY_Agent_Jul19_1
12.21
19
>
HKTL_Koadic_Shellcode_JS
12.43
28
>
SUSP_Empire_PS1_Eval_1
12.75
12
>
SUSP_EXE2MSI_Indicators_Jul19_1
13.14
22
>
SUSP_PS2EXE_PowerShell2Exe_2
13.4
58
>
HKTL_SecurityXploded_Tool
14.32
136
>
MAL_NyaDrop_IoT_Malware
14.63
214
>

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_Encoded_Scrobj_DLL
13
aa0d1d2a995c25ee670742c6fca55ac6cb65989cf927e630c68abc40bfb2c404
>
MAL_XML_PowerCod_Dec18_1
13
aa0d1d2a995c25ee670742c6fca55ac6cb65989cf927e630c68abc40bfb2c404
>
Generic_Strings_Hacktools
10
e22e6093c6e0068c57acdd3ea914a91504cf781f1ab5c98b5f2d4995621ee647
>
SUSP_UPX_Autoit_Combo
12
7ad627f17c2fcc842ee8f903250cbbcb82f213f11a41682e9692c964fafdb148
>
MAL_MetaSploit_Android_Stage_Jul19
12
44309b994f9cca2ea6a9527a999fb25c7c6f21a8f2c77216d2fb58d378f299bd
>
SUSP_UPX_Autoit_Combo
9
c1a428401ba84bd79a2f62e3c21d00c63c76a9fa80106d978a535074baa26c50
>
SUSP_AutoIt_Malware_Indicator_1
6
cd5137093dd27199943859c7f5d426a94cf0917ff6a555b037841aa977a46fe4
>
Powershell_Suspicious_Strings
2
9f83ada4fd9b298c309c7fed68e63a67489acd306e3d7f009300c32938f4892f
>
SUSP_XORed_PE_ImportNames
1
0d80de07afd85f727ff654f63312979cdf2c7b3d7b0277cefc22f268af802e43
>
SUSP_Administrator_Desktop_Reference
2
4ed92c77fb58bf275adf604e007bc85bba3649e981a151d38b1966047dbdb480
>
SUSP_Administrator_Desktop_Reference
9
36dcc9fe05b1d87d09e30d544a198837edd0e1c1c43a3352e4dac8630d43ba4d
>
SUSP_XORed_Mozilla
14
e8a735860c918f7ca5a1ffd1e0b7d7ef207f7bb21fc3490106920e8edbde4cac
>
CN_Hacktools_tools_srvany
1
58b6f0bef65ddd701c07b353248e108848d20f25e5265f462028d6f93d33a89b
>
CN_Hacktools_tools_srvany
2
c5e43c10aa055f28ec942f40526b9eef413545c60badbde90168ccb71da61422
>
SUSP_UPX_Autoit_Combo
9
f3b2eb40d0dff12b29f7216be769b84ce368230c2f01f87aedffe25035052f47
>
SUSP_VMProtect_File
14
5cba2470cb4ceec994da330ec457209f2c65b8b7a9554e01974a7a7cbbdf12f5
>
SUSP_VMProtect_File
13
87b601e5e110179ffe72b4a04c7150e6742fc1a5087a353d15c2891ba1bd3ac2
>
SUSP_GrabBrowsingHistory_Jan20
6
2033380cf345c3c743aefffe9e261457b23ececdb6ddd6ffe21436e6f71a8696
>
SUSP_VMProtect_File
8
f949ec45d3d4d59e43c6620d4c7fe65a5f081251396ac12b80c46cf7d5e1c318
>
SUSP_VMProtect_File
5
c053f8718a432a5160b2b3e77769ee186531b8fe32442c9ea413862825641ef3
>

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
6677
EXE
4764
APT
2837
MAL
2800
HKTL
2559
DEMO
2446
T1100
1894
WEBSHELL
1863
SUSP
1379
CHINA
1042
SCRIPT
695
RUSSIA
409
T1086
399
MIDDLE_EAST
362
T1027
337
T1064
312
GEN
308
T1003
281
T1193
259
T1203
259
T1075
212
OBFUS
175
T1132
174
EXPLOIT
164
T1085
155
LINUX
151
T1178
139
T1097
139
METASPLOIT
114
T1050
112

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html