Product / THOR APT Scanner


THOR is the most sophisticated and flexible compromise assessment tool on the market. 

Incident response engagements often begin with a group of compromised systems and an even bigger group of systems that are possibly affected. The manual analysis of many forensic images can be challenging.

THOR speeds up your forensic analysis with more than 17,000 handcrafted YARA signatures, 400 Sigma rules, numerous anomaly detection rules and thousands of IOCs.

THOR is the perfect tool to highlight suspicious elements, reduce the workload and speed up forensic analysis in moments in which getting quick results is crucial.

Key Features

Detection Examples

Detection Examples

Credential Dumper

Credential dumpers have long been considered as so-called dual-use tools. Only recently antivirus engines started to consequently report them but not all antivirus vendors followed that practice.

Tiny Web Shell

Many antivirus engines have problems detecting web shells. This may be due to the fact that their contents can be altered easily and in many ways. THOR has many web shell rules and threat hunting rules that detect special characteristics typically found in web shells.

Renamed PsExec

Administrators usually don’t rename well-known tools – whereas attackers do it frequently. THOR detects many renamed tools that can used for reconnaissance, lateral movement or data exfiltration.

Hacktool Output

Attackers don’t just drop tools on an end system. They also use them. The execution of these tools leaves traces in caches and on disk. THOR detects many output files generated by hack tools and indicates their use even if the executable has been removed by the adversary.

LSASS Memory Dump

While working on compromised systems, attackers leave traces of their work, even if no hack tool oder malware is involved. THOR detects temporary files like the process memory dump of the LSASS process, which contains credentials and can be used attackers to extract these credentials on a remote system.

System File Anomaly

System files have specific characteristics. THOR features many detection rules that looks for suspicious combinations in these characteristics. Suspicious executable packers, PE copyright information, file sizes and PE signature issuers are just some exam

THOR’s Signature Set

THOR ships with VALHALLA’s big encrypted signature database of more than 17,000 YARA signatures and undisclosed IOC sets. These signatures includes web shell rules, anomaly rules, malware rules, hack tool and tool output rules, malicious script and macro rules, exploit code rules and rules for registry and log file matching.

You need more information about models or specifications. Contact for datasheet.