Valhalla Logo
currently serving 16384 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
APT_MAL_DarkTortilla_Loader_Aug22_1
Detects DarkTortilla loader
18.08.2022
APT_MAL_DarkTortilla_WatchDog_Aug22_1
Detects DarkTortilla watchdog
18.08.2022
HKTL_PS1_HandleKatz_Loader_Aug22_1
Detects HandleKatz PowerShell loaders
18.08.2022
HKTL_HandleKatz_Aug22_1
Detects HandleKatz LSASS dumper
18.08.2022
SUSP_QUASAR_RAT_Schtasks_Patterns_Aug22
Detects Quasar RAT schtask patterns
18.08.2022
SUSP_PS1_Loader_Indicator_Aug22_1
Detects indicator often found in hacktool loaders
18.08.2022
SUSP_MAL_Indicators_Aug22_1
Detects suspicious opcode sequence only found in malicious or hacktool samples
18.08.2022
MAL_RunPE_Aug22_1
Detects RunPe6.dlls as described in DarkTortilla report
18.08.2022
HKTL_Imphashes_Aug22_1
Detects different hacktools based on their imphash
17.08.2022
HKTL_PS1_HoaxShell_Pattern_Aug22_1
Detects suspicious HoaxShell encoded command patterns
17.08.2022
SUSP_NGrok_IO_Reference_Aug22_1
Detects suspicious ngrok.io reference in files
16.08.2022
SUSP_HTML_Phishing_Payload_Indicators_Aug22_1
Detects suspicious ngrok.io reference in files
16.08.2022
SUSP_HTML_Base64_Phishing_Payload_Indicators_Aug22_1
Detects base64 encoded files (e.g. email attachments) with indicators found in phishing documents
16.08.2022
EXPL_DogWalk_Indicators_CVE_2022_34713_Aug22_1
Detects indicators found in payloads exploiting DogWalk vulnerability in Microsoft's Troubleshooters CVE-2022-34713
16.08.2022
APT_MAL_IronTiger_RShell_Aug22_1
Detects IronTiger malware - rshell
12.08.2022
APT_MAL_IronTiger_HyperBro_Aug22_1
Detects IronTiger malware - HyperBro
12.08.2022
APT_MAL_JS_IronTiger_Aug22_1
Detects characteristics found in Iron Tiger malware
12.08.2022
HKTL_Taihou64_Aug22_1
Detects tool to exploit LPE CVE-2015-1701
12.08.2022
HKTL_UPX_Taihou64_Aug22_2
Detects UPX compressed SharpHound components - LPE CVE-2015-1701
12.08.2022
HKTL_ZIP_SharpHound_Output_Archive_Aug22_1
Detects SharpHound output files
12.08.2022
SUSP_HKTL_SharpHound_Output_JSON_Aug22_1
Detects characteristics found in SharpHound output files
12.08.2022
SUSP_EXPL_UserAdd_Administrators_Aug22_1
Detects command line used to add a user and simultaneously add it to the local administrators group
12.08.2022
SUSP_Unknown_Dropper_Characteristics_Aug22_1
Detects characteristics found in very small droppers
12.08.2022
SUSP_PS1_Indicator_Aug22_1
Detects indicators often found in powershell downloaders
12.08.2022
HKTL_EXPL_Unknown_Aug22_1
Detects possible exploit codes for CVE-2022-24521
12.08.2022
HKTL_EXPL_Unknown_Aug22_2
Detects sequences found in exploit codes
12.08.2022
EXPL_WIN_UPX_LPE_CVE_2021_1732_Aug22_1
Detects UPX packed exploits for CVE-2021-1732 LPE
12.08.2022
EXPL_WIN_LPE_CVE_2021_1732_Aug22_1
Detects exploits for CVE-2021-1732 LPE
12.08.2022
MAL_Unknown_Droppers_Aug22_1
Detects unknown droppers
12.08.2022
MAL_RANSOM_BlueSky_Aug22_1
Detects BlueSky ransomware payloads
12.08.2022
MAL_RedLine_PS1_Downloaders_Aug22_1
Detects RedLine powershell downloaders
12.08.2022
MAL_RedLine_PS1_Downloaders_Aug22_2
Detects RedLine powershell downloaders
12.08.2022
MAL_RedLine_PS1_Downloaders_Aug22_3
Detects RedLine powershell downloaders
12.08.2022
EXPL_CLFS_LPE_CVE_2022_24521_Aug22_1
Detects possible exploit codes for CVE-2022-24521
11.08.2022
EXPL_CLFS_LPE_CVE_2022_24521_Aug22_2
Detects possible exploit codes for CVE-2022-24521
11.08.2022
MAL_Maui_Aug22
Detects Maui Ransomware and dropped batch files
11.08.2022
MAL_Socelars_Stealer_Aug22
Detects Socelars Stealer
09.08.2022
MAL_Woody_Rat_Aug_22
Detects Woody Rat
08.08.2022
MAL_Woody_RAT_Embedded_DLL_Aug_22
Detects Embedded .Net DLL in Woody Rat which provides the C2 functionality
08.08.2022
SUSP_OSX_Plist_Bash_Exec_Aug22
Detects suspicious plist file executing shell commands
05.08.2022

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
SUSP_PUA_Compressed2TXT_Encoded_Feb22_1
0.07
15
SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_1
0.38
202
WEBSHELL_PHP_BeginsWith_eval_Sep21
0.63
282
SUSP_HTML_Phishing_Payload_Indicators_Aug22_1
1.59
27
PUA_NetSupport_Apr22
1.61
345
SUSP_Eval_Base64_Indicators_Feb22_1
1.66
274
SUSP_VBA_Kernel32_Imports_Jun22_1
1.82
17
SUSP_LNX_PY_Compiled_May22
1.83
59
WEBSHELL_PHP_Obfuscation_Functions_Sep21
4.57
37
SUSP_AdvancedRun_RunAs_Privileged_User_Jan22
4.68
47
SUSP_LNX_Base64_Encoded_Webshell_Mar22
4.84
51
HKTL_Gost_Tunnel_May22
5.45
20
SUSP_OBFUSC_PowerShell_Format_String_Jan22_1
5.64
22
HKTL_VulkanRaven_CallStackSpoofer_Jul22
5.83
12
SUSP_ZIP_LNK_Small_Apr22_1
6.0
12
HKTL_BAT_Loader_Jul22_1
6.16
25
HKTL_NanoDump_Jun22_3
6.38
13
SUSP_PUA_ScreenConnect_Client_Setup_Oct21_1
6.55
22
SUSP_SMALL_ISO_Script_Feb22_1
6.69
81
SUSP_OBFUSC_JS_May22_1
6.83
24
SUSP_Base64_Encoded_PS1_TCPClient_Jan22_1
6.92
12
SUSP_PS1_Loader_Indicators_Nov21_1
7.64
36
SUSP_SFX_RAR_RunProgram_CMD_2
7.76
25
SUSP_LSASS_Dumper_SilentProcessExit_Characteristics_Jun22_1
7.81
16
SUSP_PS1_PowerShell_Loader_Indicators_Mar22_1
7.85
20
SUSP_Encoded_VBA_Kernel32_Imports_Jun22
8.27
11
SUSP_PS1_OBFUSC_Pattern_Feb22_1
8.83
29
SUSP_FilePath_AppData_Oct21_1
9.1
77
SUSP_OBFUSC_Base64_Hacktool_Indicator_Feb22_1
9.13
23
SUSP_Encoded_PowerShell_Policies_Sep21_1
10.06
18

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_ISO_In_ZIP_Small_May22_1
1
5a66092b280ee56fa8ae6ed40e4c6499470e104fb148e1425ad97e7a346a5d83
HKTL_MoveScheduler_Sep20
1
249778376d6f2b80ba21e69586f4a2b82a8fabbb876354c89edb048600d08a82
EXPL_Office_TemplateInjection
7
e6331d3ce6148a5fdbb6fe279d17b9807dfd76a95922c31e108469bb457289ed
SUSP_Encoded_Net_ServicePointManager
12
7a12d2808fe622090cf015112b0994477fc059ec0b8c644518ddfe82f89cc013
SUSP_Encoded_StartSleep
12
7a12d2808fe622090cf015112b0994477fc059ec0b8c644518ddfe82f89cc013
SUSP_Encoded_Schtasks_Create
12
7a12d2808fe622090cf015112b0994477fc059ec0b8c644518ddfe82f89cc013
MAL_Matanbuchus_Loader_Aug22
1
a57672848ae6413e34aa979a268ccda5823a9e17d940a53ac8c6f84b416f3394
HKTL_PUA_Procdump
1
2cd75e6ecfbd0024c94c1083e5264ac79ac00728a8d1fc12685f83fcd97b1ec5
MAL_Woody_RAT_Embedded_DLL_Aug_22
1
e7b21654763943317e707aab804e21ad02ee59ea6e1c816705b236f1b667d768
SUSP_RANSOM_Note_Jul22
8
2967e1d97d32605fc5ace49a10828800fbbefcc1e010f6004a9c88ef3ecdad88
SUSP_JS_var_OBFUSC
10
96b9f35d34b32f9010db27c781742df475ba73eea57e123348512b12228553da
SUSP_JS_Obfuscation_Feb20_1
10
96b9f35d34b32f9010db27c781742df475ba73eea57e123348512b12228553da
HawkEye_Keylogger_Gen
14
3afd5bd3f5c1c77f3aaac9f96e6d3e4eda2a9dd42ca44e5d609ceff3d0071ad0
SUSP_AutoIt_Opcodes_Nov20
3
91bc61dd2e345603b5177f7e66503e505f8c0c6b6a9c53b67d8a767eb2031ab4
SUSP_PE_PasterBin_Raw_References_Nov21_1
4
8a9c932f4628c4f3f55de6effc3aa617f2535334b255a52e03c9532f27823a5d
SUSP_Base64_Encoded_Hex_Encoded_Code
2
29571b770b2789077d0653330f2937620d555fcb2cc4b7c5fac59d281fd92d44
MAL_Unknown_Apr20_3
1
e75f0672e6c0f835b3e697a79ad2d21d238af69b17bcbbd038d8aafce6416af8
SUSP_Base64_Encoded_Hex_Encoded_Code
2
a6feeec6b8636068fd055474d5fb695e9a9a97d5bdb56f611364c0351922ac48
SUSP_UPX_Autoit_Combo
8
e834b5a21009c0b5994a782c8b514d0b9c2c8bd9b1c0fe38c85b6b5d55a756b4
SUSP_Script_PS1_Indicators_Mar21_2
3
cb2e476dc5f4b907c2ff5511346f0e39d80651ab7ac57f6d0ad4a825078ade37

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
5026
APT
4303
Hacktools
3830
Threat Hunting
3561
Webshells
2135
Exploits
485

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020