Valhalla Logo
currently serving 8696 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
Casing_Anomaly_Kernel32_DLL
Detects casing anomaly in kernel32.dll string
20.07.2019
SUSP_Keywords_Caret_Obfuscation
Detects common keywords used in malicious scripts obfuscated with carets
20.07.2019
SUSP_PowerShell_Caret_Obfuscation_2
Detects powershell keyword obfuscated with carets
20.07.2019
SUSP_OfficeDropper_Inject_Jul19_1
Detects suspicious Office dropper using DLL injection method
20.07.2019
>
HKTL_Cain_Abel_EXE_Jul19_1
Detects variant of Cain and Abel tool
19.07.2019
Webshell_PHP_Assertarray_Jul19
Detects Webshells which try to hide by using Arrays
19.07.2019
>
MAL_NET_Unknown_Cryptor_Jul19_1
Detects Unknown .NET Cryptor
19.07.2019
MAL_macOS_PY_Agent_Jul19_1
Detects unknown Pyton based macOS agent
19.07.2019
>
MAL_RAT_BlackNix_Jul19_1
Detects BlackNix RAT
19.07.2019
>
SUSP_APT_CN_PDB_MissLL_Indicator
Detects MissLL indicator in file
19.07.2019
SUSP_PWD_Dumper_String_Cain
Detects string from password dumper tool Cain
19.07.2019
>
SUSP_NET_PowerShell_Combo
Detects suspicious .NET executable with PowerShell content
19.07.2019
SUSP_Recon_Script_Jul19
Detects possible reconnaissance script or administrative script to evaluate system information
19.07.2019
>
APT_MAL_CN_MissLL_Malware
Detects MissLL malware
19.07.2019
>
APT_MAL_CN_MissLL_InjectDLL
Detects malware used by Chinese threat group
19.07.2019
>
APT_APT34_PICKPOCKET_Malware_Jul19_1
Detects APT34 PICKPOCKET malware
19.07.2019
>
APT_APT34_VALUEVAULT_Jul19_1
Detects APT34 VALUEVAULT malware
19.07.2019
>
APT_ATP34_LONGWATCH_Jul19_1
Detects APT34 LONGWATCH malware
19.07.2019
>
MAL_ME_RAR_SFX_Dropper_Jul19_1
Detects malicious RARSFX dropper used in Middle Eastern attacks
18.07.2019
MAL_StrongPity_Jul19_1
Detects StrongPity malware noticed in July 2019
18.07.2019
>
SUSP_RARSFX_ExtractionPath_Startup
Detects a suspicious RARSFX that extracts files to the Startup folder
18.07.2019
APT_ElectricPowder_May19_1
Detects Electric Powder malware noticed in May 2019
18.07.2019
>
APT_MAL_Ke3chang_Ketrican_Jul19_1
Detects Ke3chang Ketrican malware
18.07.2019
>
APT_MAL_Ke3chang_Ketrican_Jul19_2
Detects Ke3chang Ketrican malware
18.07.2019
>
APT_MAL_Ke3chang_Ketrican_Jul19_3
Detects Ke3chang Ketrican malware
18.07.2019
>
APT_MAL_Ke3chang_Okrum_Jul19_2
Detects Ke3chang Okrum malware
18.07.2019
>
APT_MAL_Ke3chang_Okrum_PNG_Embedded_DLL
Detects Okrum Stego PNG with encrypted embedded DLL
18.07.2019
>
APT_MAL_Ke3chang_Okrum_Jul19_1
Detects Ke3chang Okrum malware
18.07.2019
>
EXPL_CVE_2018_8174_Jul19_1
Detects exploit code for CVE-2018-8174
17.07.2019
>
MAL_ME_Wiper_Malware_Jul19_1
Detects unknown wiper malware
17.07.2019
>
MAL_SLUB_PS1_Loader_Jul19_1
Detects SLUB PowerShell Loader
17.07.2019
>
MAL_SH_EvilGnome_Jul19_1
Detects EvilGnome malware shell script linked to Gamaredon group
17.07.2019
>
MAL_ELF_EvilGnome_Jul19_1
Detects EvilGnome malware linked to Gamaredon group
17.07.2019
>
SUSP_Certutil_Copy
Detects a command that copies certutil.exe to a different location on disk
17.07.2019
SUSP_LNX_Base64_Decode_CommandLine
Detects nothing more than a suspicious pipe into base64 that outputs into a file
17.07.2019
>
SUSP_LNX_Compact_Code_Statement
Detects a suspicious compact form to write shell commands often used in expoit codes
17.07.2019
>
APT_KONNI_OfficeDoc_Dropper_Jul19_1
Detects Office document malware possibly used by KONNI group
17.07.2019
>
APT_KONNI_VBS_Jul19_1
Detects persistence helper VBS possibly used by KONNI group
17.07.2019
>
APT_KONNI_VBS_Jul19_2
Detects download helper VBS possibly used by KONNI group
17.07.2019
>
APT_KONNI_BAT_Jul19_1
Detects helper BAT possibly used by KONNI group - file no1.bat
17.07.2019
>

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Casing_Anomaly_ExecuteRequest
0.0
18
SUSP_NET_Cmdline_AppData_Local_Temp
0.0
11
SUSP_Office_Dropper_Strings
0.32
37
SUSP_PS_Base64_CWB_String
0.8
15
MAL_Webshell_Mini_PHP
1.0
14
SUSP_LNX_Base64_Decode_CommandLine
1.19
52
SUSP_Obfuscated_VBS_Feb19_1
1.75
12
SUSP_Encoded_IEX_2
1.91
2875
SUSP_JS_Run_Chr_Code
2.05
332
SUSP_JS_ChrW_Obfuscation
2.06
412
SUSP_Encoded_NewObject_NetWebclient
2.29
3297
SUSP_Netsh_PortProxy_Command
2.37
778
SUSP_Base64_Encoded_E_IEX
2.58
1176
SUSP_SwearWord_in_Code
2.81
113
Casing_Anomaly_FromBase64String
3.38
24
Casing_Anomaly_SystemConvert
3.44
16
SUSP_AMSI_ByPass_Strings
3.53
17
SUSP_JS_StartupFolder_Ref
3.95
19
MAL_MacroDropper_Jan18_1
4.05
21
SUSP_Obfuscated_JAR_Allatori
4.43
14
MAL_RemCom_Backdoor_RemoteAccess
4.92
13
SUSP_VBA_Macro_WScript_KernelDLL_May19_1
5.23
13
SUSP_RevShell_CmdLine_Code
5.38
13
SUSP_Base64_Encoded_Hex_Encoded_Code
5.49
150
SUSP_PHP_Obfuscation_GZ_Base64
7.15
13
SUSP_Caret_Obfuscation_2019_01_11
7.25
16
SUSP_Encoded_PS_DownloadString
7.45
38
SUSP_Base64_Encoded_PS_Keyword
7.55
11
Webshell_GIF_Cloaked_PHP_Webshell
7.82
11
HKTL_Koadic_XLS_Template
7.89
57

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
MAL_MS_Doc_Embedded_OLE_PE
13
b330fffa308df1988f2020af063eccff6196d47d0f8f2a44575acfd4fd5f4112
>
SUSP_Hex_Encoded_Scriptlet_Strings
13
b330fffa308df1988f2020af063eccff6196d47d0f8f2a44575acfd4fd5f4112
>
SUSP_JS_Run_Chr_Code
2
ca7b92f118b96e2b9f9464e2fc0469047e1bfb2e3c5ca345382b6f9796538fe7
>
SUSP_JS_ChrW_Obfuscation
2
ca7b92f118b96e2b9f9464e2fc0469047e1bfb2e3c5ca345382b6f9796538fe7
>
SUSP_AutoIt_Malware_Indicator_1
7
55043670ee0c7d5ac7b06c640a8a4668f4d009ebe010d4858a31a4b4777b2dc9
>
SUSP_AutoIt_CompScript_NET_Combo
7
55043670ee0c7d5ac7b06c640a8a4668f4d009ebe010d4858a31a4b4777b2dc9
>
MAL_AutoIt_Malware_Indicator_1
7
55043670ee0c7d5ac7b06c640a8a4668f4d009ebe010d4858a31a4b4777b2dc9
>
MAL_Loaderx86_Feb18_1
8
77d1ad9087f2d59b55b6c6b56dde15407626cd8c10aa0d5cf86e3d0f14882275
>
SUSP_JS_ChrW_Obfuscation
2
7f9ac4f61b0b15d01e26b7cf7c818e49c2ae16adb0f29c5747642e0f2e848bbc
>
SUSP_JS_Run_Chr_Code
2
7f9ac4f61b0b15d01e26b7cf7c818e49c2ae16adb0f29c5747642e0f2e848bbc
>
SUSP_Base64_Encoded_C_Powershell
2
0b1087fb32af4f9eba1450c4173a7247d0137d0f450eae1d999a4d25be621f48
>
SUSP_CryptoObfuscator
13
a29b9d9db4978aa03bacc6da012a97d81d0d7beb1c282e0e28032fc35c189432
>
SUSP_JS_ChrW_Obfuscation
2
b363c08996b9070a01d02b938838bbc224414d96204f3cec3eceab8fd6d87c59
>
SUSP_JS_Run_Chr_Code
2
b363c08996b9070a01d02b938838bbc224414d96204f3cec3eceab8fd6d87c59
>
SUSP_RAR_with_PDF_Script_Obfuscation
6
eb86487b42023200c65589abed2d7e9de38df185cf94c50799232be4ad93a5c4
>
VBS_suspicious
1
7be94a7bc8831620371e379773b9d7fbb2acbd271a00215bdf0c2cb3715d2b9b
>
SUSP_MZ_DefaultStub_in_Encoded_Form
4
7a5b335efa326c2d0b58477966af18e551e47367c277abccc0e756fd06db4b3b
>
SUSP_WScript_Shell_Cut
13
0c9957047e81d1d6a3b8e85992d3987ac75f7a631fa634874e91621266c9be46
>
MAL_MS_Doc_Embedded_OLE_PE
13
0c9957047e81d1d6a3b8e85992d3987ac75f7a631fa634874e91621266c9be46
>
SUSP_Hex_Encoded_Scriptlet_Strings
13
0c9957047e81d1d6a3b8e85992d3987ac75f7a631fa634874e91621266c9be46
>

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
5743
EXE
4128
APT
2427
MAL
2420
DEMO
2420
HKTL
2252
T1100
1799
WEBSHELL
1777
SUSP
1025
CHINA
980
SCRIPT
599
RUSSIA
364
MIDDLE_EAST
324
T1086
312
T1064
307
GEN
301
T1027
266
T1003
261
T1203
224
T1193
224
T1075
190
T1132
142
EXPLOIT
136
OBFUS
136
T1178
134
T1097
134
T1085
134
LINUX
129
METASPLOIT
107
T1050
101
Error: Embedded README could not be displayed.

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html