Valhalla Logo
currently serving 10812 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
SUSP_Encoded_Casing_Modified_CMD
Detects encoded cmde.exe strings with uncommon casing
02.07.2020
SUSP_GIF_Anomalies
Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type
02.07.2020
HKTL_PowerKatz_Jul20_1
Detects PowerKatz samples
02.07.2020
APT_MAL_RU_Zekapab_Malware_Jul20_1
Detects Zekapab samples related to APT28
02.07.2020
APT_MAL_Unknown_Agent_AUS_Campaign_Jul20_1
Detects samples allegedly related to AUS parliament hack
02.07.2020
APT_MAL_PowerKatz_AUS_Campaign_Jul20_1
Detects samples allegedly related to AUS parliament hack
02.07.2020
WEBSHELL_PerlKit_Jul20_1
Detects PerlKit webshell
01.07.2020
SUSP_AMSI_OBFUSC_ByPass_Jul20_1
Detects indicators of obfuscated AMSI bypass methods
01.07.2020
SUSP_AMSI_ByPass_Jul20_1
Detects indicators of AMSI bypass methods
01.07.2020
SUSP_OBFUSC_PowerShell_Jul20_1
Detects indicators of obfuscation used in malicious PowerShell scripts
01.07.2020
APT_MAL_Shellcode_Indicator_Jul20_1
Detects malware mentioned in ZScaler report
01.07.2020
HKTL_PY_DNSteal_Jun20_1
Detects Python Hack tool named DNSteal
30.06.2020
MAL_GoldenSpy_Jun20_1
Detects GoldenSpy malware
30.06.2020
MAL_Unknown_GS_Jun20_1
Detects malware similar to GoldenSpy malware
30.06.2020
SUSP_Explorer_Root_Defense_Evasion_Jun20_1
Detects explorer.exe command line method sometimes used to evade detection by breaking the typical process tree
29.06.2020
SUSP_Packer_Indicator_Jun20_1
Detects a suspicious packer indicator noticed in June 2020
29.06.2020
SUSP_MAL_Packer_Jun20_1
Detects byte chains only found in malware samples
29.06.2020
SUSP_MAL_Imphash_Jun20_1
Detects file with imphash found in malicious samples
29.06.2020
HKTL_MSHTA_VBS_Downloader_Jun20_1
Detects hacktool that uses MSHTA and VBS to download files
29.06.2020
HKTL_Shellcode_Encoded_Jun20_1
Detects shellcode in encoded form - often used in hacktools
29.06.2020
HKTL_Shellcode_Jun20_1
Detects shellcode - often used in hacktools
29.06.2020
HKTL_Winapiexec
Detects hacktool WinApiExec - dual use tool
29.06.2020
APT_MAL_RU_TurlaCarbon_Dropper_Jun20_1
Detects Turla Carbon dropper
29.06.2020
APT_MAL_AcidBox_Indicators_Jun20_1
Detects malware found in AcidBox cluster
29.06.2020
APT_MAL_BAT_InvisiMole_Artifacts_Jun20_4
Detects batch helper file mentioned in InvisiMole report
29.06.2020
APT_MAL_InvisiMole_Blob_Jun20_1
Detects encoded blob mentioned in InvisiMole report
29.06.2020
APT_CN_BRONZE_VINEWOOD_Artefacts_Jun20_1
Detects WinApicExec artifacts mentioned in InvisiMole report (page 16)
29.06.2020
APT_MAL_CN_BRONZE_VINEWOOD_Malware_Jun20_1
Detects BRONZE VINEWOOD malware
29.06.2020
APT_MAL_CN_BRONZE_VINEWOOD_PS1_Malware_Jun20_1
Detects BRONZE VINEWOOD PowerShell script
29.06.2020
APT_MAL_CN_BRONZE_VINEWOOD_HanaLoader_Malware_Jun20_1
Detects BRONZE VINEWOOD Hana Loader malware
29.06.2020
APT_MAL_CN_BRONZE_VINEWOOD_DropboxAES_RAT_Jun20_1
Detects BRONZE VINEWOOD DropboxAES RAT malware
29.06.2020
APT_CN_BRONZE_VINEWOOD_DropboxAES_RAT_BAT_Helper_Jun20_1
Detects BRONZE VINEWOOD DropboxAES helper file
29.06.2020
SetItem_Keyword_Casing_Anomaly
Detects obfuscated Set-Item by casing anomalies
27.06.2020
SetVariable_Keyword_Casing_Anomaly
Detects obfuscated Set-Variable by casing anomalies
27.06.2020
GetChildItem_Keyword_Casing_Anomaly
Detects obfuscated GetChildItem by casing anomalies
27.06.2020
GetBytes_Keyword_Casing_Anomaly
Detects obfuscated GetBytes by casing anomalies
27.06.2020
PS1_Char_Keyword_Casing_Anomaly
Detects obfuscated Char by casing anomalies
27.06.2020
SUSP_OBFUSC_PowerShell_Indicator_Jun20_1
Detects indicators often found in obfuscated PowerShell scripts
27.06.2020
SUSP_OBFUSC_PowerShell_True_Jun20_1
Detects indicators often found in obfuscated PowerShell scripts
27.06.2020
SUSP_OBFUSC_PS1_Bypass_Jun20_1
Detects PowerShell scripts that show signs of obfuscation
27.06.2020

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
VT
SUSP_Certutil_Copy
0.0
24
SUSP_Shellcode_Keyword_Mar20
0.85
13
SUSP_LNX_Base64_Decode_CommandLine
0.97
62
EXPL_Office_TemplateInjection
1.91
23
MAL_CobaltGroup_Malware_Aug19_1
2.25
24
SUSP_LNK_Rundll32_AppData_Ref_Apr20_3
2.64
11
SUSP_Script_PS1_Deflate_Base64Decode_Jun20_1
2.79
14
SUSP_OBFUSC_PS1_Bypass_Jun20_1
3.5
28
SUSP_OBFUSC_FudBypass_Jun20_1
3.89
19
SUSP_Schtasks_Combo_Jan20_1
3.92
12
SUSP_PS1_Base64Decode_Regsvr32_Combo
4.71
52
SUSP_Hex_Encoded_Executable_with_Padding
4.8
20
SUSP_LNX_PY_Binary
4.82
11
SUSP_Embedded_Decoy_Doc_Sep19
4.88
128
MAL_PS1_Unknown_Apr20_1
5.0
32
SUSP_PowerShell_Command_SQB
5.49
41
SUSP_Encrypted_Excel_With_Macros
6.12
300
SUSP_OBFUSC_Kernel32_Split
6.27
11
SUSP_Encoded_Convert_ToInt16
6.42
33
SUSP_Beacon_Indicator_Jun20_1
6.58
60
SUSP_PostExploitation_Cmds_Aug19_1
6.67
15
SUSP_JS_WindowChange_Dec19
7.52
2982
SUSP_OBFUSC_PS1_Bypass_Jun20_2
7.79
39
MAL_PY2EXE_Downloader_May20_1
7.87
52
SUSP_MZ_PE_Header_Anomaly
8.39
18
HKTL_NET_DLL_Loader_Subtee_Aug19_1
8.89
47
SUSP_Encoded_Set_Alias
9.2
251
SUSP_JS_Window_MoveTo_NegativeValue
9.43
44
MAL_macOS_PY_Agent_Jul19_1
9.44
34
HKTL_BeefXSSFramework_Dec19
9.92
24

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_XORed_URL_in_EXE
1
21a84b93932ac435547ccff976cff7df15df01c22ac814ebdb92089542aa6277
SUSP_Administrator_Desktop_Reference
11
1db03bb904f87ee598b8f59dea39f9f6d94b2d8eb8a30a2fefd202958cb1515e
SUSP_Administrator_Desktop_Reference
12
c8cef19967cb820d5e92f85a17ebf98f631de62c9760b1eb1a790cb25961e356
SUSP_XORed_URL_in_EXE
1
5c33257c694a6a27614b2586b291122994ee134f41806f45bbffad18caf75989
SUSP_AutoIt_Indicators_Feb19_4
7
c4fbe84aa22c74cb4c92d0f04965c0775e937e987cfd2809aac7f0dc485b590a
HKTL_Veil_PS1_Nov19_1
11
5f6a4d762214b4dc1305901a7b918d90d8705cb3e3a7ccaaa0a464e728cc154e
SUSP_Administrator_Desktop_Reference
6
2485826ad6e01c5ae26b460a9152854b3a6780da46f4abbca35be5b0bd570eb3
SUSP_XORed_MSDOS_Stub_Message
4
c02250c6ff65ed0dea7925cce892444df4294cfbc041366d291a3e7ceab6d3e4
SUSP_Administrator_Desktop_Reference
10
553ee875b3fc39e67daff6b7ace6590da149818f31bc7f84bc115858d10ab4f9
HKTL_Veil_PS1_Nov19_1
12
f7336a1deaecec3590faac1d603b9d04f81273f6d048dae09f9071a912436f87
SUSP_XORed_URL_in_EXE
9
c4f7f9039cbc77019abc2254fdacc709d4149794f9050ce6bc49c55c82a0db60
HKTL_Veil_PS1_Nov19_1
4
f642fe73359f592d59d5c60eb3e2954db2ff3e26f633a1090052e912f99dd3c6
XMRIG_Monero_Miner
12
79775ef0060c471f5fa562ce4185142703da6f4fa297316c4947ff35f8c305ee
SUSP_Administrator_Desktop_Reference
1
3892ed500e6a4308b4f2bafa37ea69233ae249a832bc5a96369d18b6adea5539
PEFILE_Header_but_no_DOS_Header
1
2bef8fab4a998bb3ad7375cd3d17bd71a9d68d46d0f99362923b15f87a940a45
SUSP_JS_WindowChange_Dec19
8
093df1eb553d03a829503c50adf040accda6e447a9a8549c50f63070a240f1d0
SUSP_JS_WindowChange_Dec19
7
9c53f46cdaa29a0938fbbbb708c011be99cfe83fbc96989aa02c674416cb32e8
MAL_MetaSploit_Android_Stage_Jul19
14
938afd1c9b55b67bbeb6efa9657ae18a5e3b970cfe025941a6812e1c9e9b76f4
SUSP_JS_WindowChange_Dec19
8
64dad8c8e4c8b65a5fd23f797a792dc2ddb2a2dac6fe0a908ce910416c53b585
SUSP_Administrator_Desktop_Reference
13
635411fb8a81c1232977130d52f6643995799475f35d4d3ecf2c0b74c307c876

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
T1136
10116
FILE
7201
EXE
5161
APT
3128
MAL
3007
HKTL
2730
DEMO
2474
T1100
1932
WEBSHELL
1901
SUSP
1555
CHINA
1099
SCRIPT
744
T1086
446
RUSSIA
422
T1027
383
MIDDLE_EAST
372
T1064
313
GEN
313
T1003
293
T1193
273
T1203
273
T1075
237
G0044
216
OBFUS
212
T1132
195
EXPLOIT
185
G0007
176
LINUX
175
T1085
163
T1097
147

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html