Valhalla Logo
currently serving 11301 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
APT_MAL_RU_Turla_SilentMoon_Sep20_1
Detects Turla SilentMoon implants
11.09.2020
APT_ME_HTML_Login_Form_Phish_Artefact_Sep20_1
Detects HTML phishing pages used by middle eastern threat group in September 2020
10.09.2020
HKTL_CobaltStrike_Beacon_Sep20_1
Detects CobaltStrike Beacons
10.09.2020
EXPL_SeManageVolumePrivilege_PrivEsc_Sep20
Detects privilege escalation from SeManageVolumePrivilege to full admin rights
09.09.2020
APT_Bitter_LNK_Sep20_1
Detects .link files used by Bitter Group
09.09.2020
APT_ME_MuddyWater_Pattern_Sep20_1
Detects MuddyWater DLL loader pattern
09.09.2020
SUSP_DLL_Loader_Sep20_1
Detects suspicious DLL Loader samples
08.09.2020
SUSP_OfficeDoc_MalDoc_Cmd_Rundll32_Combo_Sep20
Detects office document with references to command lines running rundll32
08.09.2020
SUSP_SFX_Cmd_ExecuteOnLoad_Sep20_1
Detects suspicious self-extracting executables that run a cmd.exe
08.09.2020
SUSP_InternetShortcut_AppData_Reference_Sep20
Detects suspicious .url Internet Shortcut files with references into AppData folders
08.09.2020
SUSP_Certutil_Decode_Ping_Combo_Sep20_1
Detects suspicious combination of certutil command and ping
08.09.2020
SUSP_Certificate_Base64_Content_Sep20
Detects certificate file that embeds a script or executable
08.09.2020
SUSP_EXPL_Win_HyperV_Drv_PrivEsc_Sep20
Detects suspicious path used in Windows privilege escalation method exploiting Hyper-V sandbox driver
08.09.2020
MAL_SFX_Dropper_Sep20_1
Detects malicious SXF dropper as used in Taurus dropper samples noticed in September 2020
08.09.2020
MAL_Script_Taurus_Dropper_Sep20_1
Detects Taurus dropper samples or helpers
08.09.2020
MAL_Script_Autoit_Taurus_Dropper_Sep20_1
Detects Taurus dropper samples or helpers
08.09.2020
MAL_Script_BAT_Taurus_Dropper_Sep20_1
Detects Taurus dropper samples or helpers - file deBHfxeeSjiTsvqnjI.com
08.09.2020
APT_MAL_NK_Lazarus_LNK_Sep20_1
Detects Lazarus link file samples
08.09.2020
APT_MAL_NK_Lazarus_DLL_Loader_Sep20_1
Detects Lazarus samples
08.09.2020
APT_MAL_NK_Lazarus_MalDoc_Sep20_1
Detects Lazarus Office document droppers
08.09.2020
SUSP_OBFUC_Base64_Hex_Encoded_Keywords_Sep20_1
Detects suspicious base64 and hex encoded keywords
07.09.2020
SUSP_OBFUC_JS_Sep20_1
Detects obfuscated JavaScript stage1 samples
07.09.2020
SUSP_OBFUC_VBS_Sep20_1
Detects obfuscated Stage 1 VBS samples
07.09.2020
SUSP_OBFUC_Hex_Encoded_Wscript_Case_Anomaly_Sep20_1
Detects suspicious hex encoded Wscript keyword that has an uncommon casing
07.09.2020
SUSP_ECHO_Base64_Decode_in_URL_Sep20_1
Detects suspicious URL encoded commands that sometimes appear in webshells or exploit code
07.09.2020
SUSP_Base64_Keyword_IR_Group_Sep20_1
Detects suspicious encoded keyword used by IR group in webshell
07.09.2020
MAL_PY_macOS_BellaRAT_Sep20_1
Detects Bella Python RAT samples
07.09.2020
MAL_BadUSB_Sep20_1
Detects BadUSB samples
07.09.2020
MAL_Unknown_Stage1_Sep20_1
Detects unknown stage1 samples
07.09.2020
MAL_QBot_Sep20_1
Detects QBot malware
07.09.2020
APT_MAL_Eviilnum_Script_Sep20_1
Detects scripts used by Evilnum group
07.09.2020
APT_MAL_PY_Eviilnum_PYVIL_Sep20_1
Detects Python based PYVIL RAT by Evilnum group
07.09.2020
APT_MAL_Eviilnum_Sep20_1
Detects Evilnum malware
07.09.2020
APT_MAL_JS_Eviilnum_Sep20_1
Detects Evilnum JavaScript malware
07.09.2020
APT_MAL_LNK_Eviilnum_Sep20_1
Detects Evilnum malicious link file
07.09.2020
APT_CN_TA413_MAL_Sep20_1
Detects TA413 samples
04.09.2020
EXPL_CVE_2020_0986_IE11_Sep20_1
Detects samples that use code to exploit CVE-2020-0986
04.09.2020
APT_CN_TA413_MAL_Sep20_2
Detects TA413 samples
04.09.2020
MAL_Unknown_Loader_Sep20_1
Detects suspicious sample that has characteristics of a malicious loader
03.09.2020
MAL_Unknown_Loader_Sep20_2
Detects suspicious sample that has characteristics of a malicious loader
03.09.2020

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
SUSP_Usage_Exploit_Indicator_Dec19_1
0.0
12
HKTL_Meterpreter_InMemory_Rule
0.09
166
SUSP_OBFUSC_PowerShell_True_Jun20_1
0.56
34
Casing_Anomaly_StringChar
1.31
124
MAL_FakeCovid_Mar20_2
1.54
24
SUSP_LNX_PY_Binary
1.65
17
PS1_Char_Keyword_Casing_Anomaly
1.91
66
SUSP_FromBase64String_PAYLOAD_Combo
2.6
60
SUSP_Shellcode_Keyword_Mar20
2.93
15
SUSP_Encrypted_Excel_With_Macros
3.34
109
SUSP_Shellcode_Keyword_Mar20_3
4.44
16
SUSP_Add_User_Local_Administrators
5.64
118
SUSP_GIF_Anomalies
6.07
14
SUSP_Script_PS1_Deflate_Base64Decode_Jun20_1
6.42
12
SUSP_OBFUSC_PS1_Bypass_Jun20_2
7.98
44
SUSP_Linux_Downloader_Jul20_1
8.0
11
SUSP_JS_WindowChange_Dec19
8.84
919
MAL_PY2EXE_Downloader_May20_1
9.19
21
HKTL_Shellcode_Loader_Apr20_1
9.64
137
SUSP_NET_Obfuscator_Jul20_1
9.66
73
HKTL_JuicyPotato_Aug20_1
9.76
84
HKTL_MSF_Keywords_Jul20_1
9.87
15
SUSP_MZ_PE_Header_Anomaly
9.91
11
SUSP_PS1_Downloader_Keyword_Combo_Apr20_1
10.29
75
SUSP_VBA_OBFUSC_Jul20_1
11.18
22
SUSP_JS_Obfuscation_Oct19_1
11.79
2453
SUSP_Encoded_PowerShell_Class
11.88
42
HKTL_Empire_Agent_inMemory_Jul20_1
12.54
28
WEBSHELL_OBFUSC_Chopper_Encoded
13.1
21
SUSP_JS_var_OBFUSC
13.26
31

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_JS_Obfuscation_Oct19_1
6
55b025ee7bcd35d813fad0d64fba4a6c3447350db1594094d5b3975d2bfb32ca
SUSP_JS_Obfuscation_Oct19_1
5
fce45f644bbee83093e82d05d4b9c820146adcd7bc47c89a65cc7930ba179237
SUSP_JS_Obfuscation_Oct19_1
6
09b0468b47fc784f9fefd56a692e63628d99b9ab52821f988b6461c6205f6314
SUSP_JS_WindowChange_Dec19
8
b83d12f85698e4b46dc8fca18593df505091dd9ea560d9f581a74e84fb4d3bae
SUSP_JS_Window_MoveTo_NegativeValue
5
50ef6c19f0a9484a0982613c8532a834f43fb73023c3384f258e89778c563ed2
SUSP_JS_WindowChange_Dec19
5
50ef6c19f0a9484a0982613c8532a834f43fb73023c3384f258e89778c563ed2
SUSP_JS_Obfuscation_Oct19_1
7
d3f43739b3ff643065bcb5ed6b37c5f484f07b4ea6897aeb1e7a570d43406b61
SUSP_JS_Obfuscation_Oct19_1
5
e8783424fcea66ea4349ee750a941d71959e93400029560e9e2c785d66fcc1d5
SUSP_JS_Obfuscation_Oct19_1
9
b3502c4cc455c9b6f5c7136c2d6098f13c13837de43c5ba084df18f077a76489
SUSP_JS_Obfuscation_Oct19_1
8
13ebd5e69e179b58c1a2d1c58d45507b0a506e2a14ad84f318f5f86af26a6dfb
SUSP_JS_Obfuscation_Oct19_1
6
2d90919c7b0e98c5f345b4123368b7ef96a4c215913cdf124874449b1d36c0ba
SUSP_JS_Obfuscation_Oct19_1
9
2c994e4d1bf1ea2582d8e7d5964bfa8d1cbd74f5884d0cb88e57107421d0323e
SUSP_JS_Obfuscation_Oct19_1
4
2dd7c76c54cc6f54a6e9f0fa829049ace7b00d35d50d62f6d4822c8652dae64d
SUSP_JS_Obfuscation_Oct19_1
6
a7c7662b06cb1ae01b39aeb67112079e70b8fc2bb4892002a029fdc2d9eaef67
SUSP_JS_Obfuscation_Oct19_1
6
23781016c2a31c33f8344c3a47ef3f8c9a26ef2650411f98c0238e7fd7b32d43
SUSP_JS_Obfuscation_Sep19_1
3
634fc9b586ea83626c3d5437ec3aeeb99dc0ed70666ecbc8faaeb283f345b4ee
SUSP_JS_Obfuscation_Oct19_1
3
634fc9b586ea83626c3d5437ec3aeeb99dc0ed70666ecbc8faaeb283f345b4ee
SUSP_JS_Obfuscation_Oct19_1
6
87b6b4245afa3e19514ce53397b78d4cc9c58ab4f530f95c45021f911049d306
SUSP_JS_Obfuscation_Oct19_1
7
f98663646c21599afd83c6cdb5e2a9882e56fdcbe1fcc884dd3f91e691e006a4
SUSP_JS_Obfuscation_Oct19_1
6
3ffc88d7bc5afc581644650e67f9b9234322820cbd000a2c37536389d136646d

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
APT
3295
Malware
3095
Hacktools
2890
Webshells
1915
Threat Hunting
1646
Exploits
203

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html