Valhalla Logo
currently serving 9227 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
SUSP_Administrator_Desktop_Reference
Detects suspicious reference in file to Administrator desktop
19.10.2019
SUSP_URL_Persistence_JS
Detects an .url file that points to an IP address - possible URL persistence
19.10.2019
>
MAL_ME_Unknown_NET_Oct19_1
Detects unknown .NET malware
19.10.2019
MAL_ME_Unknown_NET_Oct19_2
Detects unknown .NET malware
19.10.2019
EXPL_PulseSecureSSLVPN_CVE_2019_11510
Detects exploit code or attempts of Pulse Secure SSL VPN vulnerability with CVSS score 10
17.10.2019
>
APT_APT29_Ghost_Dukes_Oct19_1
Detects APT29 malware
17.10.2019
>
APT_APT29_RegDuke_Oct19_1
Detects RegDuke malware
17.10.2019
>
APT_APT29_RegDuke_Oct19_2
Detects RegDuke malware
17.10.2019
>
APT_APT29_FatDuke_Oct19_1
Detects FatDuke malware
17.10.2019
>
APT_APT29_LiteDuke_Oct19_1
Detects LiteDuke malware
17.10.2019
>
SUSP_Protected_by_NET_Reactor
Detects suspicious .NET executable protected by .NET Reactor
17.10.2019
>
APT_Kimsuky_Malware_Oct19_1
Detects Kimsuky malware
17.10.2019
>
SUSP_Rundll32_Ordinal
Detects suspicious rundll32 invocation by ordinal
17.10.2019
>
SUSP_MSF_Keyword_File_Oct19_1
Detects a metasploit filename reference in file
17.10.2019
>
SUSP_PlusSign_VBS_Excel_Obfuscation
Detects a method that splits strings using plus signs
17.10.2019
SUSP_PlusSign_WScript_Obfuscation
Detects a method that splits strings using plus signs
17.10.2019
MAL_Unknown_Keyword_Combo_Oct19_1
Detects malware that has characteristics of PolyglotDuke
17.10.2019
>
MAL_Unknown_UA_Combo_Oct19_1
Detects suspicious User-Agent combination as found in malware like APT29s Fatduke malware
17.10.2019
>
MAL_ME_VBS_Malware_Obfuscation_Oct19_1
Detects unknown VBS malware dropper
17.10.2019
>
EXPL_Solaris_11_XScreenSaver
Detects exploit code to exploit Solaris XScreensaver vulnerability
16.10.2019
>
SUSP_Deadbeef_Info
Detects suspicious keyword in file
16.10.2019
>
MAL_BlackRemote_BlackRAT_Oct19_1
Detects BlackRAT malware
16.10.2019
>
MAL_TA505_Malware_Oct19_1
Detects TA505 related malware
16.10.2019
>
MAL_TA505_Malware_Oct19_2
Detects TA505 related malware
16.10.2019
>
MAL_TA505_Malware_Oct19_3
Detects TA505 related malware
16.10.2019
>
CRIME_CobaltGang_Malware_Oct19_1
Detects CobaltGang malware
16.10.2019
>
MAL_Xmrig_CoinMiner_Malware
Detects XMRIG coin miner malware
16.10.2019
EXPL_Sudo_PrivEsc_CVE_2019_14287
Detects sudo privilege escalation attack exploiting CVE-2019-14287
15.10.2019
>
APT_Lazarus_Malware_Oct19_2
Detects Lazarus malware
15.10.2019
>
APT_APT28_Zebrocy_Oct19_1
Detects APT28 Zebrocy malware
15.10.2019
>
APT_CN_Mirage_Malware_Oct19_1
Detects Mirage malware
15.10.2019
>
SUSP_Responder_Error_Page_404
Detects 404 error page created by Responder using a hard-coded timestamp
15.10.2019
>
SUSP_LOL_Packer
Detects suspicious LOL packer
15.10.2019
SUSP_UserAgent_Mozilla_4
Detects suspicious old user agent embedded in executable
15.10.2019
>
MAL_NyaDrop_IoT_Malware
Detects NyaDrop IoT malware
15.10.2019
>
APT_NK_OpRedSalt_Malware_Oct19_3
Detects Operation Red Salt related malware
14.10.2019
>
APT_NK_OpRedSalt_Malware_Oct19_2
Detects Operation Red Salt related malware
14.10.2019
>
APT_NK_OpRedSalt_Malware_Oct19_1
Detects Operation Red Salt related malware
14.10.2019
>
APT_Winnti_NET_Injector_Oct19_1
Detects Winnti .NET injector
14.10.2019
>
APT_Winnti_VBS_Injector_Oct19_1
Detects Winnti VBS injector
14.10.2019
>

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
HKTL_ladpdomaindump_bloodhound
0.0
12
SUSP_CompileAfterDelivery_T1500
0.0
14
Casing_Anomaly_ExecuteRequest
0.05
19
SUSP_PS_Base64_CWB_String
0.15
13
SUSP_Scheduled_Task_AppData_Folder
0.17
12
SUSP_Netsh_PortProxy_Command
1.94
114
APT_WebShell_Tiny_1
2.55
22
SUSP_Base64_Encoded_Hex_Encoded_Code
2.98
126
MAL_VBS_ME_May19_1
3.25
12
SUSP_Scriptlet_Keyword_Combo_Sep19
3.4
15
HKTL_SilentTrinity_PS1_Posh_Stager
3.46
13
SUSP_Embedded_Decoy_Doc_Sep19
3.99
70
SUSP_RevShell_CmdLine_Code
4.0
13
SUSP_Hex_Encoded_WScript_Shell
4.84
19
SUSP_PHP_Obfuscation_GZ_Base64
5.45
11
SUSP_LNX_Base64_Decode_CommandLine
5.46
103
SUSP_SwearWord_in_Code
5.81
120
MAL_NET_MeterPreter_Payload_1
7.36
440
SUSP_Base64_Encoded_E_IEX
7.38
48
PUA_APT_Chafer_xCmdSvc_Jan19_1
7.6
15
SUSP_OfficeDoc_DropperStrings_Dec18_1
8.24
29
MAL_Predator_JS_Dropper
8.3
53
SUSP_Nishang_Script_Keyword
8.55
33
SUSP_PS2EXE_PowerShell2Exe_2
8.55
64
SUSP_Env_Var_Obfuscation
8.87
15
HKTL_SilentTrinity_Wmic_XLS_Stager
8.92
24
MAL_macOS_PY_Agent_Jul19_1
9.0
54
SUSP_RTF_HexEncodedLibImports_Aug19
9.39
18
SUSP_AMSI_ByPass_Strings
9.97
31
MAL_TA505_Campaign_Oct19_4
10.36
89

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
PEFILE_Header_but_no_DOS_Header
9
e19090e9a679ba4ff5239cd0039baa29206b65f2ff4a5c201adc0277842b12eb
>
SUSP_ConfuserEx_Obfuscated_Gen
2
170a0cd8359f2d977402aba7373744d0243059ce14c3482aa4224802aaf8ac9a
>
SUSP_VBA_AutoOpen_AppData_Combo
14
31ba4682a4173e6058fdcb02885e305e97edb157ebcf18a8fd69e4ead1c0f316
>
SUSP_UPX_Autoit_Combo
2
a746ad93b5ba379e8d918a4968c7a1e77a2fc6d2e6c6b1d8e87f7cc840245223
>
SUSP_AutoIt_CompScript_NET_Combo
2
58aade102002058be1af41c5f2a016e30eef4320df370b0f2e64f14a55750dab
>
SUSP_AutoIt_Indicators_Feb19_4
2
58aade102002058be1af41c5f2a016e30eef4320df370b0f2e64f14a55750dab
>
SUSP_VBA_AutoOpen_AppData_Combo
10
bf1e832d6610023323cf085ada6d65bdec9815462248af46478685cc795f80a0
>
MAL_Loaderx86_Feb18_1
11
1b29f49c15687c8b2cab69955613b51dfa4713d0a795a9d69dbf5666caf299ea
>
SUSP_VBA_AutoOpen_AppData_Combo
7
5d894180130ba2398c5441a5f2c85272e20a5091cc830712f48e6e0f67f05490
>
Embedded_PE_File
3
49f91036d289da7d9d00055f460c13edb68634c087678983e1f0eee8cbb4d581
>
SUSP_Base64_Encoded_UserAgent_String
9
023eb9078b47cd01760ac13c7b16564ec9f3c07101b57354f5158348abf299c1
>
Embedded_PE_File
11
5dd27bde9a21c34c1c9f5368b10991a6791f5b93f24d180ed97563ad1666aed0
>
Embedded_PE_File
7
7273b994d6437a0f89ae7f580945b95f1759c391801c5ddf45aa83e679058a92
>
MAL_AutoIt_Malware_Indicator_1
8
7b256ac034afa2743625ca45e4a939f5b75870bf266e21e7395565d6b70f27c0
>
SUSP_AutoIt_Malware_Indicator_1
8
7b256ac034afa2743625ca45e4a939f5b75870bf266e21e7395565d6b70f27c0
>
SUSP_AutoIt_Indicators_Feb19_4
8
7b256ac034afa2743625ca45e4a939f5b75870bf266e21e7395565d6b70f27c0
>
SUSP_Base64_Encoded_UserAgent_String
2
be2d7e0bc1cf6c9367c83e6d0904930e3ef92051ea6eeb8cfe81a91e46b25299
>
SUSP_Base64_UserAgent_Definition
2
be2d7e0bc1cf6c9367c83e6d0904930e3ef92051ea6eeb8cfe81a91e46b25299
>
SUSP_ExploitTool_Keywords_Mar19_1
2
be2d7e0bc1cf6c9367c83e6d0904930e3ef92051ea6eeb8cfe81a91e46b25299
>
SUSP_CredStore_GUID_UnsignedBinary
9
42e8e163f599d27cb340a17f738657c78073f778854ec941ebae6104c5f33d84
>

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
6130
EXE
4408
MAL
2638
APT
2617
DEMO
2438
HKTL
2312
T1100
1800
WEBSHELL
1778
SUSP
1199
CHINA
1005
SCRIPT
635
RUSSIA
397
MIDDLE_EAST
338
T1086
335
T1064
308
GEN
301
T1027
294
T1003
267
T1203
242
T1193
242
T1075
191
T1132
152
T1085
146
OBFUS
145
EXPLOIT
144
LINUX
139
T1178
135
T1097
135
T1050
109
METASPLOIT
107

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html