Notes on VirusTotal Matches
The anomaly category contains the most extraordinary set of rules for anomaly, obfuscation and suspicious indicator detection. (Schemes: *_Anomaly, SUSP_*)
The rules are often highly generic and able to detect yet unknown threats. It contains rules for casing anomalies, many rules for differently encoded keywords, rare executable packers, PE header data anomalies and other obfuscation techniques.
The ‘Score’ is a sub score used in THOR to calculate a total score based on all YARA rule matches and other IOC matches (e.g. filename IOC match)
The score ranges between 40 and 100, while 40 is used for very generic and low certainty threat hunting rules and 100 for the highest certainty.
‘Internal Research’ means that we have created the rule based on generic characteristics or do not want to share the reference.
An empty ‘Reference’ or ‘Description’ field means that the reference table for that rules has not been uploaded yet or our internal rule name diverged from the rule name on VirusTotal.
It is a common error that appears in most cases only for a certain amount of time in which the meta data has not yet been synced between our databases. (could be days)
A rule named e.g. ‘IronTiger_Sample1_Apr17_1’ was created from a sample of an ‘Iron Tiger’ report processed in April 2017.
A match shouldn’t be regarded as clear indicator for ‘Iron Tiger’ activity as it may cover a tool or malware that is used by other groups as well.
Special Keywords used in rule names
- “Generic” indicates a rule for a generic string or byte code sequence
- “”SUSP_” means that it a rule for a an indicator that is not a hard match and should be treated as “suspicious”
- “APT_” indicates that a rule has been created for a sample in a report for a certain threat group.
- “MAL_” stands for malware
- “HKTL_” stands for hack tools
- “Imphash_” for a rule that looks for known malicious PE import hashes
- “_Combo” means that a combination of keywords triggered the rule