Valhalla Logo
currently serving 8909 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
APT_NK_APT38_ElectricFish_Aug19_1
Detects ElectricFish tool used by NK threat group
17.08.2019
APT_MAL_POWERTON_Aug19_1
Detects POWERTON sample
17.08.2019
MAL_LNK_Astaroth_Aug19
Detects malicious LNK files used by Astaroth
16.08.2019
MAL_Apfell_Payload_Viper
Detects viper generated payload from apfell
16.08.2019
MAL_Apfell_Payload_ApfellJXA
Detects apfell-jxa which is payload generated with apfell
16.08.2019
MAL_Apfell_Payload_linfell
Detects linfell which is payload generated with apfell
16.08.2019
SUSP_SFX_Start_AppData_Loc
Detects suspicious SFX files that start executables from the AppData folder
15.08.2019
SUSP_REG_Add_To_Run_Key
Suspicious command that adds an element to the RUN key in Registry
15.08.2019
MAL_BalkanDoor_BAT_Aug19_3
Detects BAT used in BalkanDoor campaign
15.08.2019
MAL_BalkanDoor_BAT_Aug19_2
Detects BAT used in BalkanDoor campaign
15.08.2019
MAL_BalkanDoor_Malware_Aug19_4
Detects malware used in BalkanDoor campaign
15.08.2019
MAL_BalkanDoor_SFX_Weather_Aug19
Detects SFX used in BalkanDoor campaign
15.08.2019
MAL_BalkanDoor_Aux_Injector_Aug19
Detects Injector tool used in BalkanDoor campaign
15.08.2019
MAL_BalkanDoor_Aux_RemoteAdmin_Aug19
Detects RemoteAdmin tool used in BalkanDoor campaign
15.08.2019
MAL_BalkanDoor_BAT_Aug19
Detects BAT used in BalkanDoor campaign
15.08.2019
MAL_BalkanDoor_Malware_Aug19_3
Detects BalkanDoor malware
15.08.2019
MAL_BalkanDoor_Malware_Aug19_2
Detects malware used in BalkanDoor campaign
15.08.2019
MAL_BalkanDoor_Libject_Aug19
Detects Libinject tool used in BalkanRAT attacks
15.08.2019
APT_OceanLotus_Loader_Aug19_1
Detects Ocean Lotus Steganography Loader No1
14.08.2019
APT_APT28_XAgent_Implant_Aug19_1
Detects XAgent implant used by APT28
14.08.2019
APT_Poseidon_Mizzmo_Malware_Aug19_1
Detects malware used by Poseidon group
14.08.2019
SUSP_PS1_Obfuscation_Aug19_1
Detects a method to obfuscation PowerShell payloads
13.08.2019
SUSP_Encoded_PS1_Command
Detects suspicious encoded payloads passed to powershell via -e -enc or -encoded
13.08.2019
APT_Muddywater_PS1_Aug19_1
Detects MuddyWater PowerShell samples
13.08.2019
APT_MAL_Patchwork_IndiaConflict_Aug19_1
Detects malware dropped by Patchwork weaponized XLSM noticed in August 2019
13.08.2019
MAL_RANSOM_DelShad_Aug19
Detects DelShad Ransomware
13.08.2019
MAL_Ransom_TA505_Aug19_1
Detects Ransomware dropper noticed in TA505 attack in August 2019
13.08.2019
PUA_HKTL_CTFTool
Detects CTFTool an interactive CTF exploration tool that can also be used for exploitation
13.08.2019
SUSP_OBFUSC_JS_Aug19_1
Detects suspicious JavaScript obfuscation noticed in August 2019
12.08.2019
SUSP_OBFUSC_DecimalEncoded_MZ_Header
Detects suspicious decimal encoded MZ header of PE file
12.08.2019
SUSP_RTF_HexEncodedLibImports_Aug19
Detects suspicious hex encoded import functions in RTF document
12.08.2019
SUSP_KnownDLL_Injection
Detects suspicious hex encoded import functions in RTF document
12.08.2019
APT_Lazarus_Loader_Aug19_1
Detects Lazarus group loader
12.08.2019
APT_Lazarus_Keylogger_Aug19_1
Detects Lazarus group keylogger
12.08.2019
APT_Sidewinder_Loader_Aug19_1
Detects loader used by Sidewinder group in August 2019
12.08.2019
APT_Sidewinder_JS_Dropper_Aug19_1
Detects JS droppers used by Sidewinder group in August 2019
12.08.2019
APT_Sidewinder_RTF_Dropper_Aug19_1
Detects RTF droppers used by Sidewinder group in August 2019
12.08.2019
APT_CloudAtlas_PowerShower_PS1_Aug19_1
Detects PowerShower malware used by Cloud Atlas threat group
12.08.2019
MAL_JS_Unknown_Aug19_1
Detects unknown JavaScript malware - similarity to VBShower
12.08.2019
HKTL_MerlinAgent
Detects Merlin agent
12.08.2019

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
SUSP_Scheduled_Task_AppData_Folder
0.0
11
Casing_Anomaly_ExecuteRequest
0.0
59
HKTL_ladpdomaindump_bloodhound
0.17
12
SUSP_Base64_Encoded_ELF_Binary
0.63
40
SUSP_Office_Dropper_Strings
1.09
54
HKTL_SilentTrinity_PS1_Posh_Stager
1.45
11
APT_WebShell_Tiny_1
1.56
18
SUSP_PS_Base64_CWB_String
1.6
15
MAL_NET_MeterPreter_Payload_1
1.77
43
SUSP_JS_ChrW_Obfuscation
2.07
1064
SUSP_JS_Run_Chr_Code
2.12
743
SUSP_Netsh_PortProxy_Command
2.14
281
SUSP_Obfuscated_JAR_Allatori
2.26
19
SUSP_LNX_Base64_Decode_CommandLine
2.33
54
SUSP_VBA_Macro_WScript_KernelDLL_May19_1
2.85
13
MAL_APT_Gamaredon_BAT_Apr19_1
3.33
12
Casing_Anomaly_WindowResizeTo
3.71
14
SUSP_AMSI_ByPass_Strings
3.82
11
SUSP_Encoded_IEX_2
3.94
272
Casing_Anomaly_Windowstyle
4.09
55
SUSP_RevShell_CmdLine_Code
4.19
32
SUSP_Encoded_NewObject_NetWebclient
4.49
314
PUA_APT_Chafer_xCmdSvc_Jan19_1
6.17
12
SUSP_ShellCode_Keyword_in_DOC_or_EXE
6.6
25
SUSP_Base64_Encoded_PS_Keyword
7.27
11
SUSP_EXE2MSI_Indicators_Jul19_1
7.64
89
SUSP_JS_StartupFolder_Ref
8.07
27
SUSP_Base64_Encoded_E_IEX
8.21
111
HKTL_Rubeus_Keywords
8.46
13
Casing_Anomaly_NewObject
9.05
19

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
MAL_MetaSploit_Android_Stage_Jul19
10
bb46e8ff332a267615263206cac95b5c76d27b05977e289c90732527ed5706da
SUSP_ELF_LNX_UPX_Compressed_File
11
6a0f34a5cda9f78f0e64c55b3cc63e58391aafea761bcc55fc9a6f1f71f59e51
SUSP_ConfuserEx_Obfuscated_Gen
14
6c6bd642fd91e8dea19e5d385070eb8148714a40f82d78f9c26dbc0897fc10bb
Embedded_PE_File
1
1799547ba5fc42ffa90acf9b7c9b4e42970d14c843cdefa44152e8b3eb5dae56
PEFILE_Header_but_no_DOS_Header
1
1799547ba5fc42ffa90acf9b7c9b4e42970d14c843cdefa44152e8b3eb5dae56
Generic_Strings_Hacktools
2
0db49ae7138918a669a36f9b8f7dbfca1c7c58457738d8267de4ce028839708c
SUSP_Encoded_GetCurrentThreadId
11
1accaf0d57af8fd5a50cf8a1500c62f561197af9778f667f62ef19f26b0f8d91
Hacktool_Client
1
88574234f9930ab359bacd6349b7f8b543dc2c6987d0bd8178716c0fe277e7fe
MAL_CN_Threat_Jan19_2
10
b943b5eeba1e15a50be6553a2832983aab387814b8b40003e058f901f8a8971c
SUSP_AutoIt_Indicators_Feb19_4
10
b943b5eeba1e15a50be6553a2832983aab387814b8b40003e058f901f8a8971c
Webshell_Add_Exfiltration_Do_Exfiltration_Powerpreter_65
3
c709fd8d80eef1c9a5327b5ca7def85d07edf38dfb80d44223ddca18ce4ad59c
PS_Add_Exfiltration_DNS
3
c709fd8d80eef1c9a5327b5ca7def85d07edf38dfb80d44223ddca18ce4ad59c
APT_MAL_EmissaryPanda_thinhostprobedll_May19_1
6
9000ce3c0e01b6c80edb3af87aad8117513ce334135aa7d7b1c2afa067f4c4ab
Susp_PowerShell_Sep17_5
5
218fce13980df7c624b507f08b540ca319e6e688d8b1f49fd8e8e30043fed44d
Hacktool_Client
1
187b6365e3987baf779a58848dbe9fa46effd2f2de71baadeeaf6f6688c81308
Hacktool_Client
1
4ab0495923a0cf4867b9f38b493323a8ce5094a2306cfd17151efcb9bd15c3e2
Hacktool_Client
1
97959ec9d586ff109180e437b9474657db318bb5c5f5ae5b4648e46645fddcea
Hacktool_Client
1
b8d0f94ff34444513f8b8ca1691113f29841646582585794c2dadd563720c7a5
Hacktool_Client
1
46610491f60f7bff034d2384eb9f8b0a164b08c248f338addcef88ca0259b395
SUSP_SFX_RAR_RunProgram_CMD
10
b9106be89838bea05674832e63e7402f8d38c6559286114bc93e5a89eba2dd9a

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
5904
EXE
4243
MAL
2500
APT
2493
DEMO
2431
HKTL
2295
T1100
1800
WEBSHELL
1778
SUSP
1068
CHINA
990
SCRIPT
607
RUSSIA
380
MIDDLE_EAST
326
T1086
319
T1064
307
GEN
301
T1027
275
T1003
262
T1203
234
T1193
234
T1075
190
T1132
146
EXPLOIT
139
OBFUS
139
T1085
135
T1178
134
T1097
134
LINUX
134
METASPLOIT
107
T1050
104
Error: Embedded README could not be displayed.

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html