New YARA Rules per Day
Newest YARA Rules
Rule
Description
Date
Ref
APT_MAL_AridViper_Samples_Gen_May19_1
Detects AridViper samples
24.05.2019
SUSP_Doc_Dropper_Strings_May91_1
Detects strings used in malicious dropper docs
24.05.2019
SUSP_PS_GetEnv_Startup
Detects suspicious PowerShell script that tries to get the location of the Startup folder
24.05.2019
>
SUSP_JS_Invoke_BAT_May19_1
Detects suspicious JavaScript file that invokes a Windows batch file
24.05.2019
SUSP_BOT_Path_May19_1
Detects suspicious reference to directory named Bot
24.05.2019
MAL_ME_NET_Malware_May19_1
Detects unknown .NET malware noticed in May 2019
24.05.2019
MAL_CobaltStrike_inMemory_Rule
Detects CobaltStrike strings in memory
24.05.2019
MAL_Unknown_Malware_May19_1
Detects unspecified malware noticed in 2019
23.05.2019
SUSP_EXPL_Win10_0day_May19_2
Detects code that contains commands that look like a Win10 0day
22.05.2019
>
APT_APT28_Strings_May19_1
Detects strings from Sofacy / APT28 article by ESET in May 2019
22.05.2019
>
Gen_AridViper_Malware_Dec17
Detects AridViper related malware spotted in December 2017
22.05.2019
SUSP_PDF_JS_Action
Detects suspicious Javascript in PDF
22.05.2019
SUSP_Obfuscation_IEX_PS1_May19_1
Detects suspicious IEX backtick obfuscation
22.05.2019
SUSP_Impacket_Sample_May19_1
Detects suspicious samples implementing impacket library
22.05.2019
MAL_PDF_JS_Templ_Dropper_May19_1
Detects suspicious Javascript in PDF that looks like a script used in droppers noticed in May 2019
22.05.2019
>
MAL_Unknown_Pass_Stealer_May19_3
dropzone - file ab3755d71bb677e4bd5684493f2a61912c6fea904aa7f78c18253778b9256fd4
22.05.2019
MAL_Unknown_Pass_Stealer_May19_2
Detects unknown password stealer
22.05.2019
MAL_Unknown_Pass_Stealer_May19_1
Detects unknown password stealer
22.05.2019
HKTL_ConsoleSniffer_May19_1
Detects unknown Console Sniffer tool
21.05.2019
SUSP_Encoded_Assembly_Load
Detects encoded keyword - Assembly.Load
21.05.2019
SUSP_MsBuild_AppData_Folder_Target
Detects suspicious msbuild config file pointing to Appdata Temp folder
21.05.2019
SUSP_OBFUSC_Caret_May19_1
Detects obfuscation techniques found in slides by Daniel Bohannon
21.05.2019
>
SUSP_OBFUSC_Strings_DB_May19_1
Detects obfuscation techniques found in slides by Daniel Bohannon in May 2019
21.05.2019
>
MAL_NanoCore_RAT_May19_1
Detetcs NanoCore RAT
21.05.2019
EXPL_RDP_CVE_2019_0708
Detects exploit code exploiting RDP vulnerabilities
20.05.2019
SUSP_RDP_Payload
Detects suspicious payloads (initial PDU) used in rare RDP tools and exploits
20.05.2019
SUSP_CobaltStrike_DB_File
Detects suspicious CobaltStrike DB file noticed in May 2019
20.05.2019
Successful YARA Rules in Set
Rule
Average AV Detection Rate
Sample Count
APT_MuddyWater_CS_CmdLine_Sep18_1
0.0
19
SUSP_MsBuild_AppData_Folder_Target
0.0
34
SUSP_Base64_Encoded_E_IEX
0.67
275
HKTL_DNSCrypt_Proxy
0.82
11
MAL_APT_Gamaredon_BAT_Apr19_1
1.25
12
SUSP_SwearWord_in_Code
1.83
12
SUSP_Encoded_IEX_2
2.02
99
SUSP_Encoded_NewObject_NetWebclient
2.95
119
SUSP_RevShell_CmdLine_Code
3.19
16
SUSP_PS_Base64_CWB_String
3.38
16
HKTL_Koadic_XLS_Template
3.76
25
SUSP_CryptoObfuscator
4.5
16
SUSP_LNX_suspicious_strings_hacking_Dec18
5.55
11
Casing_Anomaly_FromBase64String
5.57
21
SUSP_Base64_Encoded_Hex_Encoded_Code
5.67
33
SUSP_Obfuscated_VBS_Feb19_1
6.0
12
SUSP_Script_Py_SingleLiner_B64
6.5
18
SUSP_Python_OneLiner_Feb19_1
6.81
31
EXP_CVE_2018_14442
7.47
34
Casing_Anomaly_Convert_PS
7.7
27
SUSP_ELF_LNX_UPX_Compressed_File
8.16
115
MAL_NET_MeterPreter_Payload_1
8.3
23
SUSP_Encoded_PS_DownloadString
10.0
14
SUSP_PHP_Obfuscation_GZ_Base64
10.42
12
SUSP_Obfuscation_ChrW_Feb19_1
11.64
47
SUSP_Env_Var_Obfuscation
11.82
44
Casing_Anomaly_NewObject
11.87
31
SUSP_Base64_Encoded_Automation_AmsiUtils
12.27
15
Casing_Anomaly_PowerShell
12.48
282
EXPL_PDF_CVE_2018_4990_Mal_JPEG_Stream
13.56
18
Latest Matches with Low AV Detection Rate
Rule
AVs
Hash
VT
APT_MAL_BronzeUnion_CN_Mal_Cert
1
3222b6855d195528c3ee39b0cc25d40664af3dbc09c6bbb1a5b0b9368d997deb
>
SUSP_Encoded_WriteProcessMemory
6
1c2fc84bd09b03f55f083e63677704fcede033203ec71cbc050368869d428c96
>
SUSP_Encoded_GetCurrentThreadId
6
1c2fc84bd09b03f55f083e63677704fcede033203ec71cbc050368869d428c96
>
SUSP_Base64_Encoded_GetEnvironmentVariable
6
6e48e6811f2e0fa0601f82780cd5e61bd970ca094d255a43cb617628bdd5e8f6
>
SUSP_MZ_DefaultStub_in_Encoded_Form
6
6e48e6811f2e0fa0601f82780cd5e61bd970ca094d255a43cb617628bdd5e8f6
>
SUSP_VBA_Project_Keyword_Feb19_1
5
09ca983edc598ee0ce456361473da86d2faa7090b8ffaa8f5d23eb33615a8d38
>
APT_MAL_BronzeUnion_CN_Mal_Cert
2
34c7db184231535974ceff908267c1bdf272742efaa351d4e08dff12646bfd88
>
APT_MAL_BronzeUnion_CN_Mal_Cert
2
48e888ed552ad598f59be365d3f6fa31fdbf79c52962365a6e96b6711a2120d7
>
APT_MAL_BronzeUnion_CN_Mal_Cert
2
a4aaae1f7f447072f4b52a6b785c9a58c7311bead3a2b21c512a25f8f7de2210
>
APT_MAL_BronzeUnion_CN_Mal_Cert
2
9048d7367de572781bbee871fea34b185f7e1855eab215ee606690c25f35c0b2
>
SUSP_ConfuserEx_Obfuscated_Gen
13
fad77ac94f0ffd4fc6a783b7523532d404fa925b17ef41c4f9b5213b8b7522b1
>
SUSP_ConfuserEx_Obfuscated_Gen
10
dcd90bbe4be1036f476419924a5feb4906bc16e634b7af746078345bdc9be5e8
>
Top Tags in YARA Rule Set
Tag
Count
FILE
5507
EXE
3975
DEMO
2402
MAL
2363
APT
2339
HKTL
2235
T1100
1788
WEBSHELL
1766
CHINA
976
SUSP
945
SCRIPT
574
RUSSIA
367
T1064
306
MIDDLE_EAST
298
GEN
298
T1086
292
T1112
276
T1003
255
REG
242
T1027
237
T1193
197
T1203
197
T1075
190
T1085
141
T1178
134
T1097
134
T1050
131
T1132
130
EXPLOIT
129
OBFUS
121