Valhalla Logo
currently serving 9014 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
Casing_Anomaly_PsCredential
Detects PSCredential keyword with a suspicious casing
06.09.2019
APT_APT3_Bemstour
Detects APT3 Bemstour malware
06.09.2019
>
APT_MuddyWater_Dropped_VBS_Sep19_1
Detects obfuscated VBS dropped by MuddyWater Doc
06.09.2019
>
APT_MuddyWater_MalDoc_FW_Sep19_1
Detects lure doc framwork used by MuddyWater
06.09.2019
>
SUSP_JS_Obfuscation_Sep19_1
Detects a special JavaScript obfuscation
05.09.2019
MAL_Cerbu_Sep19_1
Detects Cerbu malware
05.09.2019
APT_MAL_Bitter_Malware_Sep19_1
Detects APT Bitter malware
05.09.2019
>
APT_Bitter_SFX_Sep19_1
Detects APT Bitter dropper SFX
05.09.2019
>
SUSP_VBA_AutoOpen_AppData_Combo
Detects suspicious combo of keywords in VBA file
04.09.2019
SUSP_Dropper_Keywords_ActiveX_Sep19
Detects keywords found in malicious droppers
04.09.2019
>
HKTL_PrivEsc_Mongoose_Sep4
Detects mongoose agent for linux and windows
04.09.2019
>
HKTL_SharPersist
Detects Hacktool SharpPersist
04.09.2019
>
HKTL_SharPersist_KeePass_Backdoor
Detects Hacktool SharpPersist Keepass Implant
04.09.2019
>
HKTL_QuarksPwDump_Keywords
Detects QuarksPwDump strings
04.09.2019
>
MAL_AgentTesla_PE_Sep4_
Detects Agent a Tesla Binary
04.09.2019
>
SUSP_Encoded_UserInitMprLogonScript
Detects encoded keyword - UserInitMprLogonScript
04.09.2019
SUSP_Nishang_Script_Keyword
Detects code used in Nishang PowerShell framework
03.09.2019
>
SUSP_Embedded_Decoy_Doc_Sep19
Detects embedded decoy documents
03.09.2019
>
SUSP_Scriptlet_Keyword_Combo_Sep19
Detects a suspicious scriptlet with different well-known keywords
03.09.2019
>
SUSP_JS_Window_MoveTo_NegativeValue
Detects a JavaScript that moves the window out of sight
03.09.2019
>
SUSP_HTML_sojson_encoded_Sep19
HTML File that is encoded by sojson and probably hidden
03.09.2019
>
HKTL_PS1_MSF_CheckVM
Detects a malicious PS1 script that evaluates the presence of virtual machine tools on the system
03.09.2019
>
MAL_Unknown_Sept19_1
Detects unknown malware samples
03.09.2019
MAL_TW_VBS_Sep19_1
Detects a malicious VBS script
03.09.2019
MAL_TinyNuke_NukeBot_Malware_Strings
Detects strings found in TinyNuke NukeBot malware
03.09.2019
>
MAL_BlackMoon_Sep19
Binary classified as BlackMoon variant downloaded by CHM loader
03.09.2019
>
MAL_CHM_LoaderComponent_Sep19
Loader via Compiled HTML and abuse of Windows Help function
03.09.2019
>
MAL_REG_LoaderComponent_Sep19
Adding Perflog.exe located in Recycle bin to registry
03.09.2019
>
MAL_NoobyProtect_Sep19
Binary classified as NoobyProtect trojan variant downloaded by CHM loader
03.09.2019
>
APT_NK_Kimsuky_VBS_Sep19_1
Detects malicious HTA used by Kimsuky group
03.09.2019
SUSP_Encoded_RegistryKey
Detects encoded registry key
03.09.2019
SUSP_JS_Keywords_Combo_Sep19_1
Detects suspicious combination of keywords used in malicious JavaScript codes
02.09.2019
SUSP_DLL_Dropper_Keyword
Detects DLL Dropper with generic rule
02.09.2019
MAL_Gh0stcringe_RAT_Sep19
Detects a variant of the Gh0stCringe RAT
02.09.2019
>
MAL_RAT_MALSPAM_PE_Sep19
Detects malicious RAT PE which was sent via Spammail
02.09.2019
>
APT_NK_Kimsuky_Sep19_1
Detects malware used by Kimsuky threat group
02.09.2019
>
APT_NK_Kimsuky_Sep19_2
Detects malware used by Kimsuky threat group
02.09.2019
>
APT_NK_Kimsuky_Sep19_3
Detects malware used by Kimsuky threat group
02.09.2019
>
APT_NK_VBS_Unknown_Sep19_1
Detects malicious VBScript used by NK actor
02.09.2019
>
SUSP_Encoded_DownloadData
Detects encoded keyword - DownloadData
02.09.2019

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
SUSP_CompileAfterDelivery_T1500
0.33
18
SUSP_PS_Base64_CWB_String
0.38
16
SUSP_Base64_Encoded_ELF_Binary
0.73
11
SUSP_LNX_Base64_Decode_CommandLine
1.73
37
SUSP_SwearWord_in_Code
2.39
83
HKTL_SilentTrinity_PS1_Posh_Stager
2.73
15
SUSP_Obfuscated_JAR_Allatori
2.92
13
SUSP_RevShell_CmdLine_Code
3.05
19
SUSP_AMSI_ByPass_Strings
3.44
16
Webshell_ASP_Tiny
4.0
12
SUSP_Keyword_HideDLL
4.93
15
SUSP_Encoded_IEX_2
5.35
429
SUSP_Embedded_Decoy_Doc_Sep19
5.44
77
SUSP_Nishang_Script_Keyword
5.54
70
PUA_APT_Chafer_xCmdSvc_Jan19_1
6.73
22
SUSP_PHP_Obfuscation_GZ_Base64
8.42
12
SUSP_WinScriptHost_MyScript_Combo
8.55
11
SUSP_Microsoft_Typo
8.75
12
MAL_macOS_PY_Agent_Jul19_1
8.99
89
SUSP_Base64_Certutil
9.16
383
SUSP_JS_Window_MoveTo_NegativeValue
9.25
24
SUSP_Netsh_PortProxy_Command
9.62
86
SUSP_PS2EXE_PowerShell2Exe_2
9.75
68
SUSP_PS1_Obfuscated_Payload_Feb19_1
10.14
29
SUSP_CryptoObfuscator
10.22
54
SUSP_OfficeDoc_DropperStrings_Dec18_1
10.4
30
SUSP_Base64_Encoded_E_IEX
10.46
130
SUSP_RAR_with_PDF_Script_Obfuscation
10.86
66
SUSP_JS_ChrW_Obfuscation
10.89
108
SUSP_JS_StartupFolder_Ref
11.0
20

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
PEFILE_Header_but_no_DOS_Header
11
0a97fe182728dbefdea1fa9c8d7f658b5b42c4de97fc335e25420fc289d3b267
>
SUSP_OfficeDoc_Kernel32_Imports
4
84bd2a494ef6c11fb506cad68fd2e632cc4015bf20e88109d262d2722cff774a
>
SUSP_OfficeDoc_Kernel32_Imports
4
70e24b11d5d96b24b42b06cc9294c35e3dd69abe7281113fee1cb865aa2c5803
>
SUSP_Base64_Encoded_E_IEX
11
11894591390ae03d04da5646ae926eb2f42d19a328b7e7d720858a6110bdfdbd
>
SUSP_Netsh_PortProxy_Command
11
11894591390ae03d04da5646ae926eb2f42d19a328b7e7d720858a6110bdfdbd
>
SUSP_Encoded_PS1_Command
11
11894591390ae03d04da5646ae926eb2f42d19a328b7e7d720858a6110bdfdbd
>
SUSP_Base64_Encoded_E_IEX
10
4ab09265dca34a40baa08dc29c4ed3e60d5b1583eaceb894af5002d44b92b896
>
SUSP_Netsh_PortProxy_Command
10
4ab09265dca34a40baa08dc29c4ed3e60d5b1583eaceb894af5002d44b92b896
>
SUSP_Encoded_PS1_Command
10
4ab09265dca34a40baa08dc29c4ed3e60d5b1583eaceb894af5002d44b92b896
>
SUSP_AutoIt_Indicators_Feb19_4
9
b668f39946a3caddea299e84d1ad9c5d8a89de3f4af7adb3112e4af93c1de6bf
>
SUSP_OfficeDoc_Kernel32_Imports
4
0d50bf1d2d70fb8b683f3b883e69bdc668e5a6dee19cee529b95caf3e9ef58ac
>
SUSP_AutoIt_Indicators_Feb19_4
9
b6145287c251167e6917349fd2db811b8899071018ea3c4e7b4208d4f922c409
>
SUSP_AutoIt_Indicators_Feb19_4
11
9e2a43cc3b2133aa35a1e84ea88f48587078522415778e6b7c00b49ef1f1a266
>
SUSP_AutoIt_Indicators_Feb19_4
9
4abea67d3205f1c58f9669abb1e210f40719ed9cddc7278db628326c886b4a5b
>
SUSP_OfficeDoc_Kernel32_Imports
4
82f198d87a5b00033276047a79185e02be844e13d385b4d28d5625e9912babb9
>
SUSP_AutoIt_Indicators_Feb19_4
10
d57f53c09ac833f9df2b5a96c0fd9475579e08d08d9fa4f72653ed554e81ca37
>
SUSP_AutoIt_Indicators_Feb19_4
11
ff5e1424b7c8acd7a805c7d837ef15be68b1af72106456b46d4208b8c71ac60c
>
SUSP_AutoIt_Indicators_Feb19_4
9
e33bf186a92a9e7ea67cce993f58e7a724328d403a39b86a2efc588e867f4a9a
>
SUSP_VMProtect_File
6
dc20c6f8ff7a475e8bbdcd70604572d5afdaf1410ce8e99db0e9717149173eae
>
MO_Unknown_Malware_Laz
11
a88160185c2e0147d4aa4387aa648f93dab1a99ea9d34a2054404bbc9a6ad58d
>

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
5961
EXE
4288
MAL
2536
APT
2521
DEMO
2429
HKTL
2307
T1100
1800
WEBSHELL
1778
SUSP
1108
CHINA
992
SCRIPT
621
RUSSIA
382
MIDDLE_EAST
331
T1086
326
T1064
308
GEN
301
T1027
288
T1003
265
T1203
236
T1193
236
T1075
190
T1132
150
OBFUS
141
EXPLOIT
140
T1085
138
LINUX
135
T1178
134
T1097
134
METASPLOIT
107
T1050
105

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html