Valhalla Logo
currently serving 11018 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
MAL_LNX_SystemdMiner_Aug20_1
Detects SystemdMiner linux malware samples
03.08.2020
HKTL_PS1_LovelyPotato_Aug20
Detects Lovely-Potato hack tool
03.08.2020
HKTL_JuicyPotato_Aug20_1
Detects static build of JuicyPotato
03.08.2020
HKTL_JuicyPotato_Aug20_2
Detects variantes of Rotten and Juicy Potato
03.08.2020
HKTL_JuicyPotato_Aug20_3
Detects variantes of Rotten and Juicy Potato
03.08.2020
HKTL_JuicyPotato_Aug20_4
Detects variantes of Rotten and Juicy Potato
03.08.2020
HKTL_JuicyPotato_Aug20_5
Detects variantes of Rotten and Juicy Potato
03.08.2020
HKTL_RedTeam_Indicator_Aug20_1
Detects tools of an unknown Red Team
03.08.2020
HKTL_CobaltStrike_Beacon_Indicators_Aug20_1
Detects CobaltStrike beacons
03.08.2020
HKTL_CobaltStrike_Beacon_Indicators_Aug20_2
Detects CobaltStrike beacons
03.08.2020
HKTL_CobaltStrike_Beacon_Indicators_Aug20_3
Detects CobaltStrike beacons
03.08.2020
HKTL_CobaltStrike_Beacon_Indicators_Aug20_4
Detects CobaltStrike beacons
03.08.2020
HKTL_CobaltStrike_PS1_Beacon_Indicators_Aug20_1
Detects CobaltStrike PowerShell beacons
03.08.2020
HKTL_Meterpreter_Stager_Aug20_1
Detects meterpreter stagers
03.08.2020
HKTL_JS_Unknown_Stager_Aug20_1
Detects an unknown JavaScript stager
03.08.2020
HKTL_Meterpreter_Stager_Aug20_2
Detects Meterpreter stagers
03.08.2020
HKTL_Grunt_Stager_Aug20_1
Detects Covenant Grunt stagers
03.08.2020
HKTL_MSF_TinyStager_Aug20_1
Detects various stagers
03.08.2020
HKTL_NothStarStager_Aug20_1
Detects unknown stager named NothStar
03.08.2020
HKTL_Rozena_Stager_Aug20_1
Detects Metasploit related stager
03.08.2020
HKTL_TinyStager_Variant_Stager_Aug20_2
Detects variations of TinyStager
03.08.2020
HKTL_Covenant_GruntStager_Source_Aug20_1
Detects Covenant stager as source code
03.08.2020
HKTL_ProtonShell_Stager_Aug20_1
Detects Proton Shell stagers
03.08.2020
APT_MAL_Lazarus_Aug20_1
Detects Lazarus malware
03.08.2020
APT_MAL_NK_Lazarus_OpNorthStar_Aug20_1
Detects samples mentioned in report on Operation North Star
03.08.2020
APT_MAL_NK_Lazarus_LNK_OpNorthStar_Aug20_1
Detects malicious .lnk files mentioned in report Operation North Star
03.08.2020
APT_MAL_CN_TAIDOOR_RAT_Aug20_2
Detects samples related to a report on TAIDOOR malware
03.08.2020
APT_MAL_CN_TAIDOOR_RAT_Aug20_1
Detects TAIDOOR malware (also tracked as Taurus RAT)
03.08.2020
APT_MAL_CN_TAIDOOR_RAT_INI_File_Aug20_1
Detects .ini file created by TAIDOOR malware
03.08.2020
SUSP_WScriptShell_Obfuscation_Aug20_1
Detects suspicious string split in WScript Shell statement
03.08.2020
SUSP_LNX_Linux_Malware_Indicators_Aug20_1
Detects indicators often found in linux malware samples
03.08.2020
WEBSHELL_PHP_mini_Jul20
Detects webshell from a bigger webshell collection - file mini.php
31.07.2020
WEBSHELL_PHP_configkillerionkros_Jul20
Detects webshell from a bigger webshell collection
31.07.2020
WEBSHELL_PHP_php_web_shell_Jul20
Detects webshell from a bigger webshell collection
31.07.2020
WEBSHELL_PHP_BloodSecV4_Jul20
Detects BloodSec v4 webshell
31.07.2020
APT_MAL_CN_MustangPanda_Jul20_3
Detects Mustang Panda malware samples
31.07.2020
APT_MAL_CN_MustangPanda_Imp_Jul20_4
Detects Mustang Panda malware samples
31.07.2020
APT_MAL_CN_MustangPanda_CobaltStrike_Jul20_4
Detects Mustang Panda CobaltStrike samples
31.07.2020
APT_MAL_CN_MustangPanda_Jul20_5
Detects Mustang Panda samples based on PDB path
31.07.2020
APT_MAL_Donot_Jul20_1
Detects Donot group malware
31.07.2020

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_CobaltGroup_Malware_Aug19_1
0.08
12
HKTL_Empire_Win_CSharp_Dec19_1
0.09
11
HKTL_Socat_Jul20_1
0.18
11
SUSP_RAR_Single_Doc_File
0.18
307
APT_RoyalRoad_8_T_Header_Pattern
1.0
13
SUSP_OBFUSC_PS1_Bypass_Jun20_1
2.05
20
APT_OBFUC_Payload_RoyalRoad_Jul20_1
2.16
19
EXPL_Office_TemplateInjection
2.35
20
SUSP_Shellcode_Keyword_Mar20_3
2.42
12
SUSP_CreateMutex_Script
3.0
13
SUSP_Hex_Encoded_Executable_with_Padding
4.29
17
SUSP_Shellcode_Keyword_Mar20
4.46
13
SUSP_CreateObject_RegWrite_Combo
5.05
19
SUSP_Embedded_Decoy_Doc_Sep19
5.34
113
SUSP_JS_WindowChange_Dec19
5.64
1844
SUSP_OBFUSC_PS1_Bypass_Jun20_2
7.14
50
SUSP_Payload_Analysis_Jul20_4
7.21
28
MAL_PY2EXE_Downloader_May20_1
7.3
70
SUSP_Multiple_MinerNames_in_File
7.39
23
HKTL_MSF_Keywords_Jul20_1
7.75
28
WEBSHELL_CloakedAsPic_Feb20
7.83
24
MAL_Payload_F5_BIG_IP_Exploitations_Jul20_1
8.33
15
HKTL_Empire_Bypasses_Dec19_1
8.5
12
SUSP_Encoded_Set_Alias
8.96
282
SUSP_MZ_PE_Header_Anomaly
9.1
83
SUSP_Encoded_PowerShell_Class
9.55
284
SUSP_Encoded_Convert_ToInt16
9.57
37
Casing_Anomaly_LocalTemp
9.7
23
HKTL_Shellcode_Loader_Apr20_1
9.72
88
SUSP_JS_Obfuscation_Oct19_1
10.03
2983

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_JS_WindowChange_Dec19
8
09562b45c9bfd65fefa602fdd21f4302a489e790caae1c320f8e15da5fb1a419
Casing_Anomaly_createobject
8
e8efc688941d76a7648026557132d8d49bcbd6bc941aaefc29543640d47a8265
WScriptShell_Keyword_Casing_Anomaly
8
e8efc688941d76a7648026557132d8d49bcbd6bc941aaefc29543640d47a8265
SUSP_AutoIt_Indicators_Feb19_4
5
0bde4afe8508c120461a26be9ec39273da00980221edbee0383e40c072fb0dca
PUA_CryptoMiner_Jan19_1
2
0b45ed5c58ca45ccdfff20b0614e8dec48c12bec5631b7d78d2c2d32b0498e8a
MAL_Unknown_Loader_Mar20_1
8
5d29c51e22b69843ce56ca54b063d764479220fdee4b8a040a5ad440c771c5ad
PEFILE_Header_but_no_DOS_Header
3
b6995882f8901ccb70a3fa2ff4ece3c7c80246a29e6ccfb494828e121a375732
PEFILE_Header_but_no_DOS_Header
3
d4e6cdd1571986ee2965a37b25afccfeb1a1813343aee763dabc17e60c04ca5a
SUSP_PowerShelll_Command_Rare_CmdLine_Arguments
4
e0f2cffe27e9baedb19f391aaaa2ffff9b1aa0985cf46691168cd0ae42d2fb0b
PEFILE_Header_but_no_DOS_Header
3
fe04b296f725d3d7f3048d8ca6d4a9d24e37b5b9045cfc3ab7bca2b08c895606
PEFILE_Header_but_no_DOS_Header
3
285efdcec413d63bc3e5b5b28b82ed73f8a1bd9c98a6760369424746e3d4aa95
PEFILE_Header_but_no_DOS_Header
3
68282677c8adb0d63f0da1c3ee32743799393e71dac9cd0c98a655f2c79fe980
PEFILE_Header_but_no_DOS_Header
3
9227999dbccaf9f7140a6e9196f46953005b6f35b3b16a83173ac06c2bd27433
PEFILE_Header_but_no_DOS_Header
3
0eef6ee7b559edf62c76586f209676b43cf516d610451b65ca463989ac6aecbc
PEFILE_Header_but_no_DOS_Header
3
322a622f49ef24715639ca452b916464c6631b713fee40440868683a3bb16d06
PEFILE_Header_but_no_DOS_Header
2
8d65e33c98791637684c30c0c193b03069f33f868b04bdc196c66488629c6143
PUA_CryptoMiner_Jan19_1
2
8d65e33c98791637684c30c0c193b03069f33f868b04bdc196c66488629c6143
PEFILE_Header_but_no_DOS_Header
3
9e7225591f7166205704a0a12215b562ef69508d0e3c0f99605e9207f561b533
PEFILE_Header_but_no_DOS_Header
3
dc11506fbbe7b15fedbde742c511f197a3d37c8854dc52d504d923275ba91f36
PEFILE_Header_but_no_DOS_Header
2
6ad8ce46e945d34a5eafeb56efa100f022cc0dafd6daba47e31850f62493e8a5

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
APT
3196
Malware
3034
Hacktools
2798
Webshells
1910
Threat Hunting
1594
Exploits
192

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
  Warning: Access to VALHALLA is rate-limited. Once you prove unworthy, access gets denied.
  Nextron Systems 2020