Valhalla Logo
currently serving 10250 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
APT_MAL_ViciousPanda_Chinoxy_Mar20_1
Detects Vicious Panda malware
30.03.2020
HKTL_PS_Octopus
Detects PowerShell Octopus Agent
30.03.2020
SUSP_Shellcode_Keyword_Mar20_3
Detects files with shellcode indicators
27.03.2020
SUSP_ShellExec_RunDLL_PowerShell_Combo
Detects suspicious combination of ShellExec_RunDLL with powershell
27.03.2020
SUSP_Shellcode_Keyword_Mar20_2
Detects unknown malware with shellcode
27.03.2020
APT_ME_Milum_Mar20_1
Detects strings used by Milum malware in-memory
27.03.2020
SUSP_Encoded_ReflectiveLoader
Detects encoded strings found in reflective loaders
27.03.2020
SUSP_Encoded_ShellCode
Detects encoded shellcode strings
27.03.2020
HKTL_Shellter_Payload_Mar20_1
Detects payload produced by Shellter
27.03.2020
HKTL_Shellter_Payload_Mar20_2
Detects Shellter samples
27.03.2020
HKTL_FRPSocks_Config
Detects configuration files used by FRP proxy service often used by attackers
27.03.2020
MAL_Unknown_PS1_Octopus_Dropper_Mar20_1
Detects unknown PowerShell Octopus dropper
27.03.2020
MAL_PS1_Octopus_Mar20_1
Detects PowerShell Octupus malware
27.03.2020
MAL_ELF_Shellcode_Injector_Mar20_1
Detects unknown Linux malware with shellcode
27.03.2020
MAL_Unknown_ReverseShell_Mar20_1
Detects unknown reverse shell samples
27.03.2020
MAL_Unknown_ReverseShell_Mar20_2
Detects unknown reverse shell samples
27.03.2020
MAL_Unknown_ReverseShell_Mar20_3
Detects unknown reverse shell samples
27.03.2020
MAL_Unknown_ReverseShell_Mar20_4
Detects unknown reverse shell samples
27.03.2020
SUSP_ECHO_IEX
Detects Hades maldoc process tree commands
25.03.2020
SUSP_BAT_Users_Public_Reference
Detects files with strange bat file references pointing to C:/Users/Public
25.03.2020
APT_RU_Sandworm_Mar20_1
Detects Hades maldocs
25.03.2020
APT_APT41_CN_CampNetscaler_Mar20_4
Detects APT41 helper scripts - file 1.txt
25.03.2020
APT_APT41_CN_CampNetscaler_Mar20_3
Detects APT41 service install script
25.03.2020
APT_APT41_CN_CampNetscaler_Mar20_2
Detects APT41 vmprotected meterpreter downloader
25.03.2020
APT_APT41_CN_CampNetscaler_Mar20_1
Detects strings found in APT41 attacks against Netscaler and Zoho ManageEngine Desktop Central
25.03.2020
APT_APT41_CN_Mar20_2
Detects malware used in APT41 campaign
25.03.2020
APT_APT41_CN_Mar20_1
Detects malware used in APT41 campaign
25.03.2020
APT_XHunt_Eye
Detects XHunt tool Eye
25.03.2020
APT_XHunt_Gon
Detects XHunt tool Gon
25.03.2020
APT_XHunt_LinkHide
Detects XHunt tool LinkHide
25.03.2020
APT_XHunt_Hisoka
Detects XHunt tool Hisoka
25.03.2020
APT_XHunt_Sakabota
Detects XHunt tool Sakabota
25.03.2020
APT_XHunt_Diezen
Detects XHunt tool Diezen
25.03.2020
APT_XHunt_Killua_C2_Commands
Detects XHunt tool Killua C2 communication
25.03.2020
APT_XHunt_Killua
Detects XHunt tool Killuna
25.03.2020
APT_XHunt_Generic_PaloAlto_Note
Detects XHunt tool Netero note
25.03.2020
MAL_PoshC2_Shellcode_Mar20
Detects Sharpv4 shellcode generated by PoshC2
25.03.2020
MAL_PoshC2_Implant_Mar20
Detects a dropped file from a PoshC2 implant
25.03.2020
MAL_Powershell_PowerHub_Downloader_Mar20
Detects a PowerHub downloader / AMSI disabler
25.03.2020
SUSP_Base64EncodedActiveX_Mar20
Detects a Base64 encoded call to ActiveX
25.03.2020

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
VT
SUSP_JS_Obfusc_JSFuck_Jan20_1
0.0
5787
SUSP_URL_Persistence_JS
0.0
24
MAL_ToTok_Android_APK
0.21
19
HKTL_Meterpreter_InMemory_Rule
0.23
13
SUSP_LNX_Base64_Decode_CommandLine
0.75
24
SUSP_LNX_PY_Binary
0.88
48
SUSP_Hex_Encoded_Executable_with_Padding
1.4
20
SUSP_Shellcode_Keyword_Mar20_3
1.44
18
SUSP_PS_Function_Combo_1
1.47
15
SUSP_Shellcode_Keyword_Mar20
1.57
21
EXPL_CVE_2020_0796_Keywords
1.7
30
EXPL_Office_TemplateInjection
1.72
25
EXPL_CVE_2020_0796_POC_Mar20_1
2.0
12
MAL_FakeCovid_Mar20_2
2.0
42
SUSP_Base64_Encoded_Hex_Encoded_Code
2.09
46
APT_MAL_DocDropper_Nov19_1
2.64
11
SUSP_Embedded_Decoy_Doc_Sep19
4.45
49
SUSP_Reversed_LOLBAS
5.0
24
SUSP_AMSI_ByPass_Strings
5.05
20
SUSP_JS_WindowChange_Dec19
6.08
471
WEBSHELL_CloakedAsPic_Feb20
6.5
32
SUSP_RevShell_CmdLine_Code
6.53
15
SUSP_VBA_FileSystem_Access
7.5
105
HKTL_COMahawk64
7.69
13
SUSP_Encoded_PS_W_Hidden
7.71
14
SUSP_Schtasks_TaskName_Short
7.76
38
SUSP_PHP_Obfuscation_GZ_Base64
7.95
19
Webshell_Awen_ASP_NET
8.59
17
HKTL_BeefXSSFramework_Dec19
8.94
178
SUSP_JS_var_OBFUSC
8.96
51

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
MAL_Unknown_Loader_Mar20_1
9
dd423c768564cb43f12e6eead4e2cad6dd2f321c6dfd98c2a59b32fb98d55522
MAL_Unknown_Loader_Mar20_1
10
0528393036e72e7fb44fa98f77fa04c65b425d873cdf6697db397ce7ce590608
MAL_Loaderx86_Feb18_1
10
0528393036e72e7fb44fa98f77fa04c65b425d873cdf6697db397ce7ce590608
SUSP_RAR_with_PDF_Script_Obfuscation
4
11f74d091bbb9b5b95726a2504c3c74ab1f21eeb621bcc1b161469aca4bac896
SUSP_AutoIt_CompScript_NET_Combo
12
ad3853a768f78570c1b4572fbaa2b109fd86a5a7f4d426d61f192870a1ed6dca
SUSP_Enigma_Protector
11
0d1fb2b3c439a6683f37e6ea69c932e3ed87630057749efb5957c222ab79cf9e
SUSP_ConfuserEx_Obfuscated_Gen
8
174910c1bebc9d3020741c31c427ea0c09b094fd9efec2d0f37009510170d254
SUSP_Base32Encoded_EXE
8
174910c1bebc9d3020741c31c427ea0c09b094fd9efec2d0f37009510170d254
SUSP_UPX_Autoit_Combo
9
5ca5a640238c0ba36fed413556ac2bef94a9521e2450de512c1260e026ae2888
SUSP_UPX_Autoit_Combo
9
b3fb968a187f9b7f5d5367ef6ae129c8fcf97dbec7b7723fd01b8d4a8a504f05
SUSP_Enigma_Protector
4
4a72bd2f1d1328b2ff90a01b9d244d95d528aec20b7298d9e9046cb30e28fd05
SUSP_UPX_Autoit_Combo
8
5cc66276a73d6ed6ff3134d8cfbca7f509f0aecb4eab7b7aa75f25d06279b2b2
SUSP_VBA_Project_Keyword_Feb19_1
1
87b8082bbbb1664d56e557a792b932b81a12343d267adf6431b887091e7328b6
SUSP_OfficeDoc_Macro_Indicator_Jun19_1
11
fc59f9c5cd53b2feb8e51849ee1e9ed3fda1c3f6cd1eac3a3a9444966a0deaac
SUSP_Enigma_Protector
5
6e97f99dcfdafb248349c6c53cf004d2c0bced947d0951b4885a29b47f5b22db
SUSP_ELF_LNX_UPX_Compressed_File
13
0afff427f746bac33a85b5f0dbce50c6279fe0ba1db40a1031cfd4a70e2834ae
MAL_AutoIt_Malware_Indicator_1
11
d0474579f78f0aa0dcf76111c06b4c2315fa1926877ffa792f942ffbfa856bed
SUSP_AutoIt_CompScript_NET_Combo
11
d0474579f78f0aa0dcf76111c06b4c2315fa1926877ffa792f942ffbfa856bed
SUSP_AutoIt_Malware_Indicator_1
11
d0474579f78f0aa0dcf76111c06b4c2315fa1926877ffa792f942ffbfa856bed
SUSP_AutoIt_Indicators_Feb19_4
14
4abba380138ffc5cfaed2273f8170861a29b21b79ef6a650e190746923eac47e

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
6823
EXE
4871
APT
2904
MAL
2874
HKTL
2595
DEMO
2450
T1100
1911
WEBSHELL
1880
SUSP
1414
CHINA
1048
SCRIPT
706
RUSSIA
413
T1086
409
MIDDLE_EAST
363
T1027
345
T1064
313
GEN
313
T1003
283
T1193
260
T1203
260
T1075
220
OBFUS
183
T1132
182
EXPLOIT
172
T1085
156
LINUX
154
T1178
140
T1097
140
METASPLOIT
114
T1050
113

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html