Notes on VirusTotal Matches

by Apr 4, 2018

With the courtesy of Virustotal, THOR checks uploaded samples with a reasonable part of its YARA rule base.

We use the full YARA rule set in our flexible and portable endpoint scanners THOR and SPARK. 

You can supercharge your own detection engine with our rule set using VALHALLA

 

Sub Set

Not all of THOR’s signatures are integrated into VirusTotal. We’ve integrated ~50% of our signature set.

About 20% of THOR’s rules are available as an open source signature database and shipped with the free and open source scanner LOKI and SPARK Core.

 

 

Anomaly Rules

The anomaly category contains the most extraordinary set of rules for anomaly, obfuscation and suspicious indicator detection. (Schemes: *_Anomaly, SUSP_*)

It is not available in VALHALLA anymore but shipped with THOR for threat hunting on endpoints or lab stations.

The rules are often highly generic and able to detect yet unknown threats. It contains rules for casing anomalies, for encoded keywords, rare executable packers, PE header data anomalies and other obfuscation techniques.

Score

The ‘Score’ is a sub score used in THOR to calculate a total score based on all YARA rule matches and other IOC matches (e.g. filename IOC match)

The score ranges between 40 and 100, while 40 is used for very generic and low certainty threat hunting rules and 100 for the highest certainty. 

 

Internal Research

‘Internal Research’ means that we have created the rule based on generic characteristics or do not want to share the reference.

u

Empty Fields

An empty ‘Reference’ or ‘Description’ field means that the reference table for that rules has not been uploaded yet or our internal rule name diverged from the rule name on VirusTotal.

It is a common error that appears in most cases only for a certain amount of time in which the meta data has not yet been synced between our databases. (could be days)

Rule Type

The field ‘Rule Type” states if the rule is a rule that can be found in the open source signature base (shown as “community”) or is one of the privately offered rules in our Valhalla YARA feed service (shown as “VALHALLA rule feed only”).

Attribution

A rule named e.g. ‘IronTiger_Sample1_Apr17_1’ was created from a sample of an ‘Iron Tiger’ report processed in April 2017.

A match shouldn’t be regarded as clear indicator for ‘Iron Tiger’ activity as it may cover a tool or malware that is used by other groups as well.

Keywords

Special Keywords used in rule names

  1. “Generic” indicates a rule for a generic string or byte code sequence
  2. “”SUSP_” means that it a rule for a an indicator that is not a hard match and should be treated as “suspicious”
  3. “APT_” indicates that a rule has been created for a sample in a report for a certain threat group. 
  4. “MAL_” stands for malware
  5. “HKTL_” stands for hack tools
  6. “Imphash_” for a rule that looks for known malicious PE import hashes
  7. “_Combo” means that a combination of keywords triggered the rule
b

List of Matches

See THOR’s VirusTotal page for all new matches: 

https://www.virustotal.com/en/user/thor/