feat: added BinaryAlert and restructure the repo

2023-08-08 00:32:42 +07:00 · 2023-08-08 00:32:42 +07:00 · fbc13aeb4c
parent 597ea580a7
commit fbc13aeb4c
126 changed files with 3481 additions and 3074 deletions
--- a/BinaryAlert/basicrat-malware.yaml
+++ b/BinaryAlert/basicrat-malware.yaml
@ -0,0 +1,23 @@
 id: basicrat-malware
 info:
  name: BasicRAT Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/multi/malware_multi_vesche_basicrat.yara
  tags: malware,file
 file:
  - extensions:
      - all
    matchers:
      - type: word
        part: raw
        words:
          - "HKCU Run registry key applied"
          - "HKCU Run registry key failed"
          - "Error, platform unsupported."
          - "Persistence successful,"
          - "Persistence unsuccessful,"
        condition: and
--- a/BinaryAlert/cerber-malware.yaml
+++ b/BinaryAlert/cerber-malware.yaml
@ -0,0 +1,21 @@
 id: cerber-malware
 info:
  name: Cerber Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_cerber_evasion.yara
  tags: malware,file
 file:
  - extensions:
      - all
    matchers:
      - type: word
        part: raw
        words:
          - "38oDr5.vbs"
          - "8ivq.dll"
          - "jmsctls_progress32"
        condition: and
--- a/BinaryAlert/crunchrat-malware.yaml
+++ b/BinaryAlert/crunchrat-malware.yaml
@ -0,0 +1,28 @@
 id: crunchrat-malware
 info:
  name: CrunchRAT Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_t3ntman_crunchrat.yara
  tags: malware,file
 file:
  - extensions:
      - all
    matchers:
      - type: word
        part: raw
        words:
          - "<action>command<action>"
          - "<action>upload<action>"
          - "<action>download<action>"
          - "cmd.exe"
          - "application/x-www-form-urlencoded"
          - "&action="
          - "&secondary="
          - "<secondary>"
          - "<action>"
        condition: and
        case-insensitive: true
--- a/BinaryAlert/hydracrypt-malware.yaml
+++ b/BinaryAlert/hydracrypt-malware.yaml
@ -0,0 +1,23 @@
 id: ransomware_windows_hydracrypt
 info:
  name: Hydracrypt Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_hydracrypt.yara
  tags: malware,file
 file:
  - extensions:
      - all
    matchers:
      - type: word
        part: raw
        words:
          - "oTraining"
          - "Stop Training"
          - "Play \"sound.wav\""
          - "&Start Recording"
          - "7About record"
        condition: and
--- a/BinaryAlert/macos-bella-malware.yaml
+++ b/BinaryAlert/macos-bella-malware.yaml
@ -0,0 +1,38 @@
 id: macos-bella-malware
 info:
  name: Bella Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/macos/malware_macos_bella.yara
  tags: malware,file
 file:
  - extensions:
      - all
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "Verified! [2FV Enabled] Account ->"
          - "There is no root shell to perform this command. See [rooter] manual entry."
          - "Attempt to escalate Bella to root through a variety of attack vectors."
          - "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER."
        condition: or
      - type: word
        part: raw
        words:
          - "user_pass_phish"
          - "bella_info"
          - "get_root"
        condition: and
      - type: word
        part: raw
        words:
          - "Please specify a bella server."
          - "What port should Bella connect on [Default is 4545]:"
        condition: and
--- a/BinaryAlert/petya-malware-variant-1.yaml
+++ b/BinaryAlert/petya-malware-variant-1.yaml
@ -0,0 +1,24 @@
 id: petya-malware-variant-1
 info:
  name: Petya Malware (Variant 1) - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_1.yara
  tags: malware,file
 file:
  - extensions:
      - all
    matchers:
      - type: word
        part: raw
        words:
          - "Ooops, your important files are encrypted."
          - "Send your Bitcoin wallet ID and personal installation key to e-mail"
          - "wowsmith123456@posteo.net. Your personal installation key:"
          - "Send $300 worth of Bitcoin to following address:"
          - "have been encrypted.  Perhaps you are busy looking for a way to recover your"
          - "need to do is submit the payment and purchase the decryption key."
        condition: or
--- a/BinaryAlert/petya-malware-variant-3.yaml
+++ b/BinaryAlert/petya-malware-variant-3.yaml
@ -0,0 +1,20 @@
 id: petya-malware-variant-3
 info:
  name: Petya Malware (Variant 3) - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_3.yara
  tags: malware,file
 file:
  - extensions:
      - all
    matchers:
      - type: word
        part: raw
        words:
          - "wevtutil cl Setup & wevtutil cl System"
          - "fsutil usn deletejournal /D %c:"
        condition: or
--- a/BinaryAlert/petya-malware-variant-bitcoin.yaml
+++ b/BinaryAlert/petya-malware-variant-bitcoin.yaml
@ -0,0 +1,18 @@
 id: petya-malware-variant-bitcoin
 info:
  name: Petya Malware (Variant Bitcoin) - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_bitcoin.yara
  tags: malware,file
 file:
  - extensions:
      - all
    matchers:
      - type: word
        part: raw
        words:
          - "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQAB"
--- a/BinaryAlert/pony-stealer-malware.yaml
+++ b/BinaryAlert/pony-stealer-malware.yaml
@ -0,0 +1,29 @@
 id: pony-stealer-malware
 info:
  name: Windows Pony Stealer Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_pony_stealer.yara
  tags: malware,file
 file:
  - extensions:
      - all
    matchers:
      - type: word
        part: raw
        words:
          - "signons.sqlite"
          - "signons.txt"
          - "signons2.txt"
          - "signons3.txt"
          - "WininetCacheCredentials"
          - "moz_logins"
          - "encryptedPassword"
          - "FlashFXP"
          - "BulletProof"
          - "CuteFTP"
        condition: and
        case-insensitive: true
--- a/BinaryAlert/powerware-malware.yaml
+++ b/BinaryAlert/powerware-malware.yaml
@ -0,0 +1,21 @@
 id: powerware-malware
 info:
  name: PowerWare Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_powerware_locky.yara
  tags: malware,file
 file:
  - extensions:
      - all
    matchers:
      - type: word
        part: raw
        words:
          - "ScriptRunner.dll"
          - "ScriptRunner.pdb"
          - "fixed.ps1"
        condition: and
--- a/BinaryAlert/wannacry-malware.yaml
+++ b/BinaryAlert/wannacry-malware.yaml
@ -0,0 +1,32 @@
 id: wannacry-malware
 info:
  name: WannaCry Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_wannacry.yara
  tags: malware,file
 file:
  - extensions:
      - all
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "msg/m_chinese"
          - ".wnry"
          - "attrib +h"
        condition: and
      - type: word
        part: raw
        words:
          - "WNcry@2ol7"
          - "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
          - "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn"
          - "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw"
          - "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94"
        condition: or
--- a/BinaryAlert/zrypt-malware.yaml
+++ b/BinaryAlert/zrypt-malware.yaml
@ -0,0 +1,34 @@
 id: zrypt-malware
 info:
  name: Zcrypt Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_zcrypt.yara
  tags: malware,file
 file:
  - extensions:
      - all
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "How to Buy Bitcoins"
          - "ALL YOUR PERSONAL FILES ARE ENCRYPTED"
          - "Click Here to Show Bitcoin Address"
          - "MyEncrypter2.pdb"
        condition: or
      - type: word
        part: raw
        words:
          - ".p7b"
          - ".p7c"
          - ".pdd"
          - ".pef"
          - ".pem"
          - "How to decrypt files.html"
        condition: and
--- a/README.md
+++ b/README.md
@ -1,251 +1,14 @@
 # Nuclei Malware
-Template to detect some malware using nuclei
+Template to detect some malware using nuclei. Creating these nuclei templates based on previously made YARA rules and then converting them into nuclei template format
-## Status Malware
+### List of Repositories
-I took the reference from [yara rules repository](https://github.com/Yara-Rules/rules/blob/master/malware/) and in this section is about the status of each rule whether it can be made into a nuclei template or not
+* [https://github.com/Yara-Rules/rules](https://github.com/daffainfo/nuclei-malware/tree/master/Yara-Rules)
 * [https://github.com/airbnb/binaryalert/tree/master/rules/public](https://github.com/daffainfo/nuclei-malware/tree/master/BinaryAlert)
-| Malware Yara Rules | Status |
+### To-Do
-| --- | --- |
+- [ ] Create a GitHub Actions workflow to detect the total number of templates in this repository
-| MALW_ATMPot |  🟥 Impossible  |
+- [ ] Gives the status of whether the template is already in the nuclei-templates repo or not (In `STATUS.md`)
-| MALW_ATM_HelloWorld |  🟥 Impossible  |
+- [ ] Create more nuclei templates using these repository
-| MALW_AZORULT |  🟥 Impossible  |
+  - [x] https://github.com/airbnb/binaryalert/tree/master/rules/public
-| MALW_AgentTesla |  🟨 Still possible but requires a lot of effort  |
+  - [ ] https://github.com/reversinglabs/reversinglabs-yara-rules
-| MALW_AgentTesla_SMTP |  🟨 Still possible but requires a lot of effort  |
+  - [ ] etc.
 | MALW_AlMashreq |  🟨 Still possible but requires a lot of effort  |
 | MALW_Alina |  🟩 Possible  |
 | MALW_Andromeda |  🟩 Possible  |
 | MALW_Arkei |  🟩 Possible  |
 | MALW_Athena |  🟨 Still possible but requires a lot of effort  |
 | MALW_Atmos |  🟥 Impossible  |
 | MALW_BackdoorSSH |  🟥 Impossible  |
 | MALW_Backoff |  🟩 Possible  |
 | MALW_Bangat |  🟥 Impossible  |
 | MALW_Batel |  🟥 Impossible  |
 | MALW_BlackRev |  🟨 Still possible but requires a lot of effort  |
 | MALW_BlackWorm |  🟩 Possible  |
 | MALW_Boouset |  🟥 Impossible  |
 | MALW_Bublik |  🟩 Possible  |
 | MALW_Buzus_Softpulse |  🟥 Impossible  |
 | MALW_CAP_HookExKeylogger |  🟨 Still possible but requires a lot of effort  |
 | MALW_Chicken |  🟨 Still possible but requires a lot of effort  |
 | MALW_Citadel |  🟥 Impossible  |
 | MALW_Cloaking |  🟥 Impossible  |
 | MALW_Cookies |  🟨 Still possible but requires a lot of effort  |
 | MALW_Corkow |  🟥 Impossible  |
 | MALW_Cxpid |  🟩 Possible  |
 | MALW_Cythosia |  🟩 Possible  |
 | MALW_DDoSTf |  🟩 Possible  |
 | MALW_Derkziel |  🟩 Possible  |
 | MALW_Dexter |  🟩 Possible  |
 | MALW_DiamondFox |  🟩 Possible  |
 | MALW_DirtJumper |  🟨 Still possible but requires a lot of effort  |
 | MALW_Eicar |  🟩 Possible  |
 | MALW_Elex |  🟥 Impossible  |
 | MALW_Elknot |  🟥 Impossible  |
 | MALW_Emotet |  🟥 Impossible  |
 | MALW_Empire |  🟥 Impossible  |
 | MALW_Enfal |  🟥 Impossible  |
 | MALW_Exploit_UAC_Elevators |  🟥 Impossible  |
 | MALW_Ezcob |  🟩 Possible  |
 | MALW_F0xy |  🟥 Impossible  |
 | MALW_FALLCHILL |  🟥 Impossible  |
 | MALW_FUDCrypt |  🟩 Possible  |
 | MALW_FakeM |  🟥 Impossible  |
 | MALW_Fareit |  🟥 Impossible  |
 | MALW_Favorite |  🟥 Impossible  |
 | MALW_Furtim |  🟥 Impossible  |
 | MALW_Gafgyt |  🟩 Possible  |
 | MALW_Genome |  🟩 Possible  |
 | MALW_Glasses |  🟩 Possible  |
 | MALW_Gozi |  🟩 Possible  |
 | MALW_Grozlex |  🟩 Possible  |
 | MALW_Hajime |  🟥 Impossible  |
 | MALW_Hsdfihdf_banking |  🟨 Still possible but requires a lot of effort  |
 | MALW_Httpsd_ELF |  🟥 Impossible  |
 | MALW_IMuler |  🟥 Impossible  |
 | MALW_IcedID |  🟥 Impossible  |
 | MALW_Iexpl0ree |  🟥 Impossible  |
 | MALW_Install11 |  🟩 Possible  |
 | MALW_Intel_Virtualization |  🟩 Possible  |
 | MALW_IotReaper |  🟩 Possible  |
 | MALW_Jolob_Backdoor |  🟩 Possible  |
 | MALW_KINS |  🟨 Still possible but requires a lot of effort  |
 | MALW_Kelihos |  🟩 Possible  |
 | MALW_KeyBase |  🟥 Impossible  |
 | MALW_Korlia |  🟥 Impossible  |
 | MALW_Korplug |  🟥 Impossible  |
 | MALW_Kovter |  🟩 Possible  |
 | MALW_Kraken |  🟥 Impossible  |
 | MALW_Kwampirs |  🟩 Possible  |
 | MALW_LURK0 |  🟥 Impossible  |
 | MALW_Lateral_Movement |  🟩 Possible  |
 | MALW_Lenovo_Superfish |  🟥 Impossible  |
 | MALW_LinuxBew |  🟩 Possible  |
 | MALW_LinuxHelios |  🟩 Possible  |
 | MALW_LinuxMoose |  🟥 Impossible  |
 | MALW_LostDoor |  🟩 Possible  |
 | MALW_LuaBot |  🟩 Possible  |
 | MALW_LuckyCat |  🟥 Impossible  |
 | MALW_MSILStealer |  🟩 Possible  |
 | MALW_MacControl |  🟥 Impossible  |
 | MALW_MacGyver |  🟩 Possible  |
 | MALW_Madness |  🟩 Possible  |
 | MALW_Magento_backend |  🟨 Still possible but requires a lot of effort  |
 | MALW_Magento_frontend |  🟨 Still possible but requires a lot of effort  |
 | MALW_Magento_suspicious |  🟥 Impossible  |
 | MALW_Mailers |  🟥 Impossible  |
 | MALW_MedusaHTTP_2019 |  🟨 Still possible but requires a lot of effort  |
 | MALW_Miancha |  🟥 Impossible  |
 | MALW_MiniAsp3_mem |  🟨 Still possible but requires a lot of effort  |
 | MALW_Mirai |  🟥 Impossible  |
 | MALW_Mirai_Okiru_ELF |  🟥 Impossible  |
 | MALW_Mirai_Satori_ELF |  🟥 Impossible  |
 | MALW_Miscelanea |  🟥 Impossible  |
 | MALW_Miscelanea_Linux |  🟨 Still possible but requires a lot of effort  |
 | MALW_Monero_Miner_installer |  🟩 Possible  |
 | MALW_NSFree |  🟩 Possible  |
 | MALW_Naikon |  🟨 Still possible but requires a lot of effort  |
 | MALW_Naspyupdate |  🟨 Still possible but requires a lot of effort  |
 | MALW_NetTraveler |  🟨 Still possible but requires a lot of effort  |
 | MALW_NionSpy |  🟥 Impossible  |
 | MALW_Notepad |  🟩 Possible  |
 | MALW_OSX_Leverage |  🟩 Possible  |
 | MALW_Odinaff |  🟥 Impossible  |
 | MALW_Olyx |  🟩 Possible  |
 | MALW_PE_sections |  🟥 Impossible  |
 | MALW_PittyTiger |  🟨 Still possible but requires a lot of effort  |
 | MALW_PolishBankRat |  🟥 Impossible  |
 | MALW_Ponmocup |  🟥 Impossible  |
 | MALW_Pony |  🟩 Possible  |
 | MALW_Predator |  🟥 Impossible  |
 | MALW_PubSab |  🟩 Possible  |
 | MALW_PurpleWave |  🟥 Impossible  |
 | MALW_PyPI |  🟩 Possible  |
 | MALW_Pyinstaller |  🟥 Impossible  |
 | MALW_Pyinstaller_OSX |  🟩 Possible  |
 | MALW_Quarian |  🟥 Impossible  |
 | MALW_Rebirth_Vulcan_ELF |  🟥 Impossible  |
 | MALW_Regsubdat |  🟥 Impossible  |
 | MALW_Rockloader |  🟥 Impossible  |
 | MALW_Rooter |  🟥 Impossible  |
 | MALW_Rovnix |  🟥 Impossible  |
 | MALW_Safenet |  🟩 Possible  |
 | MALW_Sakurel |  🟩 Possible  |
 | MALW_Sayad |  🟩 Possible  |
 | MALW_Scarhikn |  🟥 Impossible  |
 | MALW_Sendsafe |  🟨 Still possible but requires a lot of effort  |
 | MALW_Shamoon |  🟥 Impossible  |
 | MALW_Shifu |  🟥 Impossible  |
 | MALW_Skeleton |  🟥 Impossible  |
 | MALW_Spora |  🟩 Possible  |
 | MALW_Sqlite |  🟩 Possible  |
 | MALW_Stealer |  🟩 Possible  |
 | MALW_Surtr |  🟥 Impossible  |
 | MALW_T5000 |  🟩 Possible  |
 | MALW_TRITON_HATMAN |  🟥 Impossible  |
 | MALW_TRITON_ICS_FRAMEWORK |  🟥 Impossible  |
 | MALW_Tedroo |  🟩 Possible  |
 | MALW_Tinba |  🟥 Impossible  |
 | MALW_TinyShell_Backdoor_gen |  🟥 Impossible  |
 | MALW_Torte_ELF |  🟥 Impossible  |
 | MALW_TreasureHunt |  🟩 Possible  |
 | MALW_TrickBot |  🟩 Possible  |
 | MALW_Trumpbot |  🟩 Possible  |
 | MALW_Upatre |  🟥 Impossible  |
 | MALW_Urausy |  🟩 Possible  |
 | MALW_Vidgrab |  🟥 Impossible  |
 | MALW_Virut_FileInfector_UNK_VERSION |  🟥 Impossible  |
 | MALW_Volgmer |  🟥 Impossible  |
 | MALW_Wabot |  🟩 Possible  |
 | MALW_Warp |  🟩 Possible  |
 | MALW_Wimmie |  🟥 Impossible  |
 | MALW_XHide |  🟩 Possible  |
 | MALW_XMRIG_Miner |  🟩 Possible  |
 | MALW_XOR_DDos |  🟩 Possible  |
 | MALW_Yayih |  🟩 Possible  |
 | MALW_Yordanyan_ActiveAgent |  🟨 Still possible but requires a lot of effort  |
 | MALW_Zegost |  🟩 Possible  |
 | MALW_Zeus |  🟥 Impossible  |
 | MALW_adwind_RAT |  🟥 Impossible  |
 | MALW_hancitor |  🟨 Still possible but requires a lot of effort  |
 | MALW_kirbi_mimikatz |  🟥 Impossible  |
 | MALW_kpot |  🟨 Still possible but requires a lot of effort  |
 | MALW_marap |  🟨 Still possible but requires a lot of effort  |
 | MALW_shifu_shiz |  🟨 Still possible but requires a lot of effort  |
 | MALW_sitrof_fortis_scar |  🟨 Still possible but requires a lot of effort  |
 | MALW_viotto_keylogger |  🟥 Impossible  |
 | MALW_xDedic_marketplace |  🟥 Impossible  |
 | RANSOM_.CRYPTXXX.yar | 🟩 Possible |
 | RANSOM_777.yar | 🟩 Possible |
 | RANSOM_Alpha.yar | 🟩 Possible |
 | RANSOM_BadRabbit.yar | 🟥 Impossible |
 | RANSOM_Cerber.yar | 🟥 Impossible |
 | RANSOM_Comodosec.yar | 🟨 Still possible but requires a lot of effort |
 | RANSOM_Crypren.yar | 🟥 Impossible |
 | RANSOM_CryptoNar.yar | 🟥 Impossible |
 | RANSOM_Cryptolocker.yar | 🟨 Still possible but requires a lot of effort |
 | RANSOM_DMALocker.yar | 🟩 Possible |
 | RANSOM_DoublePulsar_Petya.yar | 🟩 Possible |
 | RANSOM_Erebus.yar | 🟩 Possible |
 | RANSOM_GPGQwerty.yar | 🟩 Possible |
 | RANSOM_GoldenEye.yar | 🟥 Impossible |
 | RANSOM_Locky.yar | 🟩 Possible |
 | RANSOM_MS17-010_Wannacrypt.yar | 🟥 Impossible |
 | RANSOM_Maze.yar | 🟥 Impossible |
 | RANSOM_PetrWrap.yar | 🟥 Impossible |
 | RANSOM_Petya.yar | 🟥 Impossible |
 | RANSOM_Petya_MS17_010.yar | 🟥 Impossible |
 | RANSOM_Pico.yar | 🟥 Impossible |
 | RANSOM_Revix.yar | 🟥 Impossible |
 | RANSOM_SamSam.yar | 🟥 Impossible |
 | RANSOM_Satana.yar | 🟩 Possible |
 | RANSOM_Shiva.yar | 🟥 Impossible |
 | RANSOM_Sigma.yar | 🟩 Possible |
 | RANSOM_Snake.yar | 🟩 Possible |
 | RANSOM_Stampado.yar | 🟥 Impossible |
 | RANSOM_TeslaCrypt.yar | 🟩 Possible |
 | RANSOM_Tox.yar | 🟩 Possible |
 | RANSOM_acroware.yar | 🟥 Impossible |
 | RANSOM_jeff_dev.yar | 🟥 Impossible |
 | RANSOM_locdoor.yar | 🟥 Impossible |
 | RANSOM_screenlocker_5h311_1nj3c706.yar | 🟥 Impossible |
 | RANSOM_shrug2.yar | 🟥 Impossible |
 | RANSOM_termite.yar | 🟥 Impossible |
 | RAT_Adwind.yar | 🟥 Impossible |
 | RAT_Adzok.yar | 🟩 Possible |
 | RAT_Asyncrat.yar | 🟥 Impossible |
 | RAT_BlackShades.yar | 🟥 Impossible |
 | RAT_Bolonyokte.yar | 🟥 Impossible |
 | RAT_Bozok.yar | 🟩 Possible |
 | RAT_Cerberus.yar | 🟩 Possible |
 | RAT_Crimson.yar | 🟩 Possible |
 | RAT_CrossRAT.yar | 🟥 Impossible |
 | RAT_CyberGate.yar | 🟩 Possible |
 | RAT_DarkComet.yar | 🟥 Impossible |
 | RAT_FlyingKitten.yar | 🟥 Impossible |
 | RAT_Gh0st.yar | 🟥 Impossible |
 | RAT_Gholee.yar | 🟩 Possible |
 | RAT_Glass.yar | 🟩 Possible |
 | RAT_Havex.yar | 🟥 Impossible |
 | RAT_Hizor.yar | 🟥 Impossible |
 | RAT_Indetectables.yar | 🟥 Impossible |
 | RAT_Inocnation.yar | 🟥 Impossible |
 | RAT_Meterpreter_Reverse_Tcp.yar | 🟥 Impossible |
 | RAT_Nanocore.yar | 🟥 Impossible |
 | RAT_NetwiredRC.yar | 🟥 Impossible |
 | RAT_Njrat.yar | 🟥 Impossible |
 | RAT_Orcus.yar | 🟥 Impossible |
 | RAT_PlugX.yar | 🟥 Impossible |
 | RAT_PoetRATDoc.yar | 🟩 Possible |
 | RAT_PoetRATPython.yar | 🟥 Impossible |
 | RAT_PoisonIvy.yar | 🟥 Impossible |
 | RAT_Ratdecoders.yar | 🟩 Possible |
 | RAT_Sakula.yar | 🟥 Impossible |
 | RAT_ShadowTech.yar | 🟩 Possible |
 | RAT_Shim.yar | 🟩 Possible |
 | RAT_Terminator.yar | 🟩 Possible |
 | RAT_Xtreme.yar | 🟥 Impossible |
 | RAT_ZoxPNG.yar | 🟩 Possible |
 | RAT_jRAT.yar | 🟩 Possible |
 | RAT_xRAT.yar | 🟩 Possible |
 | RAT_xRAT20.yar | 🟥 Impossible |
--- a/STATUS.md
+++ b/STATUS.md
@ -0,0 +1,279 @@
 # List
 * [https://github.com/Yara-Rules/rules](https://github.com/daffainfo/nuclei-malware/tree/master/Yara-Rules)
 | Yara Rules | Status |
 | --- | --- |
 | MALW_ATMPot | 🟥 Impossible |
 | MALW_ATM_HelloWorld | 🟥 Impossible |
 | MALW_AZORULT | 🟥 Impossible |
 | MALW_AgentTesla |  🟨 Still possible but requires a lot of effort  |
 | MALW_AgentTesla_SMTP |  🟨 Still possible but requires a lot of effort  |
 | MALW_AlMashreq |  🟨 Still possible but requires a lot of effort  |
 | MALW_Alina | 🟩 Possible |
 | MALW_Andromeda | 🟩 Possible |
 | MALW_Arkei | 🟩 Possible |
 | MALW_Athena |  🟨 Still possible but requires a lot of effort  |
 | MALW_Atmos | 🟥 Impossible |
 | MALW_BackdoorSSH | 🟥 Impossible |
 | MALW_Backoff | 🟩 Possible |
 | MALW_Bangat | 🟥 Impossible |
 | MALW_Batel | 🟥 Impossible |
 | MALW_BlackRev |  🟨 Still possible but requires a lot of effort  |
 | MALW_BlackWorm | 🟩 Possible |
 | MALW_Boouset | 🟥 Impossible |
 | MALW_Bublik | 🟩 Possible |
 | MALW_Buzus_Softpulse | 🟥 Impossible |
 | MALW_CAP_HookExKeylogger |  🟨 Still possible but requires a lot of effort  |
 | MALW_Chicken |  🟨 Still possible but requires a lot of effort  |
 | MALW_Citadel | 🟥 Impossible |
 | MALW_Cloaking | 🟥 Impossible |
 | MALW_Cookies |  🟨 Still possible but requires a lot of effort  |
 | MALW_Corkow | 🟥 Impossible |
 | MALW_Cxpid | 🟩 Possible |
 | MALW_Cythosia | 🟩 Possible |
 | MALW_DDoSTf | 🟩 Possible |
 | MALW_Derkziel | 🟩 Possible |
 | MALW_Dexter | 🟩 Possible |
 | MALW_DiamondFox | 🟩 Possible |
 | MALW_DirtJumper |  🟨 Still possible but requires a lot of effort  |
 | MALW_Eicar | 🟩 Possible |
 | MALW_Elex | 🟥 Impossible |
 | MALW_Elknot | 🟥 Impossible |
 | MALW_Emotet | 🟥 Impossible |
 | MALW_Empire | 🟥 Impossible |
 | MALW_Enfal | 🟥 Impossible |
 | MALW_Exploit_UAC_Elevators | 🟥 Impossible |
 | MALW_Ezcob | 🟩 Possible |
 | MALW_F0xy | 🟥 Impossible |
 | MALW_FALLCHILL | 🟥 Impossible |
 | MALW_FUDCrypt | 🟩 Possible |
 | MALW_FakeM | 🟥 Impossible |
 | MALW_Fareit | 🟥 Impossible |
 | MALW_Favorite | 🟥 Impossible |
 | MALW_Furtim | 🟥 Impossible |
 | MALW_Gafgyt | 🟩 Possible |
 | MALW_Genome | 🟩 Possible |
 | MALW_Glasses | 🟩 Possible |
 | MALW_Gozi | 🟩 Possible |
 | MALW_Grozlex | 🟩 Possible |
 | MALW_Hajime | 🟥 Impossible |
 | MALW_Hsdfihdf_banking |  🟨 Still possible but requires a lot of effort  |
 | MALW_Httpsd_ELF | 🟥 Impossible |
 | MALW_IMuler | 🟥 Impossible |
 | MALW_IcedID | 🟥 Impossible |
 | MALW_Iexpl0ree | 🟥 Impossible |
 | MALW_Install11 | 🟩 Possible |
 | MALW_Intel_Virtualization | 🟩 Possible |
 | MALW_IotReaper | 🟩 Possible |
 | MALW_Jolob_Backdoor | 🟩 Possible |
 | MALW_KINS |  🟨 Still possible but requires a lot of effort  |
 | MALW_Kelihos | 🟩 Possible |
 | MALW_KeyBase | 🟥 Impossible |
 | MALW_Korlia | 🟥 Impossible |
 | MALW_Korplug | 🟥 Impossible |
 | MALW_Kovter | 🟩 Possible |
 | MALW_Kraken | 🟥 Impossible |
 | MALW_Kwampirs | 🟩 Possible |
 | MALW_LURK0 | 🟥 Impossible |
 | MALW_Lateral_Movement | 🟩 Possible |
 | MALW_Lenovo_Superfish | 🟥 Impossible |
 | MALW_LinuxBew | 🟩 Possible |
 | MALW_LinuxHelios | 🟩 Possible |
 | MALW_LinuxMoose | 🟥 Impossible |
 | MALW_LostDoor | 🟩 Possible |
 | MALW_LuaBot | 🟩 Possible |
 | MALW_LuckyCat | 🟥 Impossible |
 | MALW_MSILStealer | 🟩 Possible |
 | MALW_MacControl | 🟥 Impossible |
 | MALW_MacGyver | 🟩 Possible |
 | MALW_Madness | 🟩 Possible |
 | MALW_Magento_backend |  🟨 Still possible but requires a lot of effort  |
 | MALW_Magento_frontend |  🟨 Still possible but requires a lot of effort  |
 | MALW_Magento_suspicious | 🟥 Impossible |
 | MALW_Mailers | 🟥 Impossible |
 | MALW_MedusaHTTP_2019 |  🟨 Still possible but requires a lot of effort  |
 | MALW_Miancha | 🟥 Impossible |
 | MALW_MiniAsp3_mem |  🟨 Still possible but requires a lot of effort  |
 | MALW_Mirai | 🟥 Impossible |
 | MALW_Mirai_Okiru_ELF | 🟥 Impossible |
 | MALW_Mirai_Satori_ELF | 🟥 Impossible |
 | MALW_Miscelanea | 🟥 Impossible |
 | MALW_Miscelanea_Linux |  🟨 Still possible but requires a lot of effort  |
 | MALW_Monero_Miner_installer | 🟩 Possible |
 | MALW_NSFree | 🟩 Possible |
 | MALW_Naikon |  🟨 Still possible but requires a lot of effort  |
 | MALW_Naspyupdate |  🟨 Still possible but requires a lot of effort  |
 | MALW_NetTraveler |  🟨 Still possible but requires a lot of effort  |
 | MALW_NionSpy | 🟥 Impossible |
 | MALW_Notepad | 🟩 Possible |
 | MALW_OSX_Leverage | 🟩 Possible |
 | MALW_Odinaff | 🟥 Impossible |
 | MALW_Olyx | 🟩 Possible |
 | MALW_PE_sections | 🟥 Impossible |
 | MALW_PittyTiger |  🟨 Still possible but requires a lot of effort  |
 | MALW_PolishBankRat | 🟥 Impossible |
 | MALW_Ponmocup | 🟥 Impossible |
 | MALW_Pony | 🟩 Possible |
 | MALW_Predator | 🟥 Impossible |
 | MALW_PubSab | 🟩 Possible |
 | MALW_PurpleWave | 🟥 Impossible |
 | MALW_PyPI | 🟩 Possible |
 | MALW_Pyinstaller | 🟥 Impossible |
 | MALW_Pyinstaller_OSX | 🟩 Possible |
 | MALW_Quarian | 🟥 Impossible |
 | MALW_Rebirth_Vulcan_ELF | 🟥 Impossible |
 | MALW_Regsubdat | 🟥 Impossible |
 | MALW_Rockloader | 🟥 Impossible |
 | MALW_Rooter | 🟥 Impossible |
 | MALW_Rovnix | 🟥 Impossible |
 | MALW_Safenet | 🟩 Possible |
 | MALW_Sakurel | 🟩 Possible |
 | MALW_Sayad | 🟩 Possible |
 | MALW_Scarhikn | 🟥 Impossible |
 | MALW_Sendsafe |  🟨 Still possible but requires a lot of effort  |
 | MALW_Shamoon | 🟥 Impossible |
 | MALW_Shifu | 🟥 Impossible |
 | MALW_Skeleton | 🟥 Impossible |
 | MALW_Spora | 🟩 Possible |
 | MALW_Sqlite | 🟩 Possible |
 | MALW_Stealer | 🟩 Possible |
 | MALW_Surtr | 🟥 Impossible |
 | MALW_T5000 | 🟩 Possible |
 | MALW_TRITON_HATMAN | 🟥 Impossible |
 | MALW_TRITON_ICS_FRAMEWORK | 🟥 Impossible |
 | MALW_Tedroo | 🟩 Possible |
 | MALW_Tinba | 🟥 Impossible |
 | MALW_TinyShell_Backdoor_gen | 🟥 Impossible |
 | MALW_Torte_ELF | 🟥 Impossible |
 | MALW_TreasureHunt | 🟩 Possible |
 | MALW_TrickBot | 🟩 Possible |
 | MALW_Trumpbot | 🟩 Possible |
 | MALW_Upatre | 🟥 Impossible |
 | MALW_Urausy | 🟩 Possible |
 | MALW_Vidgrab | 🟥 Impossible |
 | MALW_Virut_FileInfector_UNK_VERSION | 🟥 Impossible |
 | MALW_Volgmer | 🟥 Impossible |
 | MALW_Wabot | 🟩 Possible |
 | MALW_Warp | 🟩 Possible |
 | MALW_Wimmie | 🟥 Impossible |
 | MALW_XHide | 🟩 Possible |
 | MALW_XMRIG_Miner | 🟩 Possible |
 | MALW_XOR_DDos | 🟩 Possible |
 | MALW_Yayih | 🟩 Possible |
 | MALW_Yordanyan_ActiveAgent |  🟨 Still possible but requires a lot of effort  |
 | MALW_Zegost | 🟩 Possible |
 | MALW_Zeus | 🟥 Impossible |
 | MALW_adwind_RAT | 🟥 Impossible |
 | MALW_hancitor |  🟨 Still possible but requires a lot of effort  |
 | MALW_kirbi_mimikatz | 🟥 Impossible |
 | MALW_kpot |  🟨 Still possible but requires a lot of effort  |
 | MALW_marap |  🟨 Still possible but requires a lot of effort  |
 | MALW_shifu_shiz |  🟨 Still possible but requires a lot of effort  |
 | MALW_sitrof_fortis_scar |  🟨 Still possible but requires a lot of effort  |
 | MALW_viotto_keylogger | 🟥 Impossible |
 | MALW_xDedic_marketplace | 🟥 Impossible |
 | RANSOM_.CRYPTXXX.yar | 🟩 Possible |
 | RANSOM_777.yar | 🟩 Possible |
 | RANSOM_Alpha.yar | 🟩 Possible |
 | RANSOM_BadRabbit.yar | 🟥 Impossible |
 | RANSOM_Cerber.yar | 🟥 Impossible |
 | RANSOM_Comodosec.yar | 🟨 Still possible but requires a lot of effort |
 | RANSOM_Crypren.yar | 🟥 Impossible |
 | RANSOM_CryptoNar.yar | 🟥 Impossible |
 | RANSOM_Cryptolocker.yar | 🟨 Still possible but requires a lot of effort |
 | RANSOM_DMALocker.yar | 🟩 Possible |
 | RANSOM_DoublePulsar_Petya.yar | 🟩 Possible |
 | RANSOM_Erebus.yar | 🟩 Possible |
 | RANSOM_GPGQwerty.yar | 🟩 Possible |
 | RANSOM_GoldenEye.yar | 🟥 Impossible |
 | RANSOM_Locky.yar | 🟩 Possible |
 | RANSOM_MS17-010_Wannacrypt.yar | 🟥 Impossible |
 | RANSOM_Maze.yar | 🟥 Impossible |
 | RANSOM_PetrWrap.yar | 🟥 Impossible |
 | RANSOM_Petya.yar | 🟥 Impossible |
 | RANSOM_Petya_MS17_010.yar | 🟥 Impossible |
 | RANSOM_Pico.yar | 🟥 Impossible |
 | RANSOM_Revix.yar | 🟥 Impossible |
 | RANSOM_SamSam.yar | 🟥 Impossible |
 | RANSOM_Satana.yar | 🟩 Possible |
 | RANSOM_Shiva.yar | 🟥 Impossible |
 | RANSOM_Sigma.yar | 🟩 Possible |
 | RANSOM_Snake.yar | 🟩 Possible |
 | RANSOM_Stampado.yar | 🟥 Impossible |
 | RANSOM_TeslaCrypt.yar | 🟩 Possible |
 | RANSOM_Tox.yar | 🟩 Possible |
 | RANSOM_acroware.yar | 🟥 Impossible |
 | RANSOM_jeff_dev.yar | 🟥 Impossible |
 | RANSOM_locdoor.yar | 🟥 Impossible |
 | RANSOM_screenlocker_5h311_1nj3c706.yar | 🟥 Impossible |
 | RANSOM_shrug2.yar | 🟥 Impossible |
 | RANSOM_termite.yar | 🟥 Impossible |
 | RAT_Adwind.yar | 🟥 Impossible |
 | RAT_Adzok.yar | 🟩 Possible |
 | RAT_Asyncrat.yar | 🟥 Impossible |
 | RAT_BlackShades.yar | 🟥 Impossible |
 | RAT_Bolonyokte.yar | 🟥 Impossible |
 | RAT_Bozok.yar | 🟩 Possible |
 | RAT_Cerberus.yar | 🟩 Possible |
 | RAT_Crimson.yar | 🟩 Possible |
 | RAT_CrossRAT.yar | 🟥 Impossible |
 | RAT_CyberGate.yar | 🟩 Possible |
 | RAT_DarkComet.yar | 🟥 Impossible |
 | RAT_FlyingKitten.yar | 🟥 Impossible |
 | RAT_Gh0st.yar | 🟥 Impossible |
 | RAT_Gholee.yar | 🟩 Possible |
 | RAT_Glass.yar | 🟩 Possible |
 | RAT_Havex.yar | 🟥 Impossible |
 | RAT_Hizor.yar | 🟥 Impossible |
 | RAT_Indetectables.yar | 🟥 Impossible |
 | RAT_Inocnation.yar | 🟥 Impossible |
 | RAT_Meterpreter_Reverse_Tcp.yar | 🟥 Impossible |
 | RAT_Nanocore.yar | 🟥 Impossible |
 | RAT_NetwiredRC.yar | 🟥 Impossible |
 | RAT_Njrat.yar | 🟥 Impossible |
 | RAT_Orcus.yar | 🟥 Impossible |
 | RAT_PlugX.yar | 🟥 Impossible |
 | RAT_PoetRATDoc.yar | 🟩 Possible |
 | RAT_PoetRATPython.yar | 🟥 Impossible |
 | RAT_PoisonIvy.yar | 🟥 Impossible |
 | RAT_Ratdecoders.yar | 🟩 Possible |
 | RAT_Sakula.yar | 🟥 Impossible |
 | RAT_ShadowTech.yar | 🟩 Possible |
 | RAT_Shim.yar | 🟩 Possible |
 | RAT_Terminator.yar | 🟩 Possible |
 | RAT_Xtreme.yar | 🟥 Impossible |
 | RAT_ZoxPNG.yar | 🟩 Possible |
 | RAT_jRAT.yar | 🟩 Possible |
 | RAT_xRAT.yar | 🟩 Possible |
 | RAT_xRAT20.yar | 🟥 Impossible |
 * [https://github.com/airbnb/binaryalert/tree/master/rules/public](https://github.com/daffainfo/nuclei-malware/tree/master/BinaryAlert)
 | Yara Rules | Status |
 | --- | --- |
 | malware_macos_apt_sofacy_xagent.yara | 🟥 Impossible |
 | malware_macos_bella.yara | 🟩 Possible |
 | malware_macos_macspy.yara | 🟥 Impossible |
 | malware_macos_marten4n6_evilosx.yara | 🟨 Still possible but requires a lot of effort |
 | malware_macos_neoneggplant_eggshell.yara | 🟨 Still possible but requires a lot of effort |
 | malware_macos_proton_rat_generic.yara | 🟥 Impossible |
 | malware_multi_pupy_rat.yara | 🟨 Still possible but requires a lot of effort |
 | malware_multi_vesche_basicrat.yara | 🟩 Possible |
 | malware_windows_apt_red_leaves_generic.yara | 🟨 Still possible but requires a lot of effort |
 | malware_windows_pony_stealer.yara | 🟩 Possible |
 | malware_windows_remcos_rat.yara | 🟨 Still possible but requires a lot of effort |
 | malware_windows_t3ntman_crunchrat.yara | 🟩 Possible |
 | malware_windows_xrat_quasarrat.yara | 🟨 Still possible but requires a lot of effort |
 | ransomware_windows_HDDCryptorA.yara | 🟨 Still possible but requires a lot of effort |
 | ransomware_windows_cerber_evasion.yara | 🟩 Possible |
 | ransomware_windows_cryptolocker.yara | 🟨 Still possible but requires a lot of effort |
 | ransomware_windows_hydracrypt.yara | 🟩 Possible |
 | ransomware_windows_lazarus_wannacry.yara | 🟥 Impossible |
 | ransomware_windows_petya_variant_1.yara | 🟩 Possible |
 | ransomware_windows_petya_variant_2.yara | 🟨 Still possible but requires a lot of effort |
 | ransomware_windows_petya_variant_3.yara | 🟩 Possible |
 | ransomware_windows_petya_variant_bitcoin.yara | 🟩 Possible |
 | ransomware_windows_powerware_locky.yara | 🟩 Possible |
 | ransomware_windows_wannacry.yara | 🟩 Possible |
 | ransomware_windows_zcrypt.yara | 🟩 Possible |
--- a/Yara-Rules/aar-malware.yaml
+++ b/Yara-Rules/aar-malware.yaml
@ -1,9 +1,9 @@
-id: malware_aar
+id: aar-malware
 info:
-  name: AAR Malware Detector
+  name: AAR Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "Hashtable"
          - "get_IsDisposed"
--- a/Yara-Rules/adzok-malware.yaml
+++ b/Yara-Rules/adzok-malware.yaml
@ -1,9 +1,9 @@
-id: malware_adzok
+id: adzok-malware
 info:
-  name: Adzok Malware Detector
+  name: Adzok Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "key.classPK"
          - "svd$1.classPK"
@ -25,6 +26,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "config.xmlPK"
          - "svd$1.classPK"
@ -36,6 +38,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "config.xmlPK"
          - "key.classPK"
@ -47,6 +50,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "config.xmlPK"
          - "key.classPK"
@ -58,6 +62,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "config.xmlPK"
          - "key.classPK"
@ -69,6 +74,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "config.xmlPK"
          - "key.classPK"
@ -80,6 +86,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "config.xmlPK"
          - "key.classPK"
@ -91,6 +98,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "config.xmlPK"
          - "key.classPK"
--- a/Yara-Rules/alfa-malware.yaml
+++ b/Yara-Rules/alfa-malware.yaml
@ -1,9 +1,9 @@
-id: malware_alfa
+id: alfa-malware
 info:
-  name: Alfa Malware Detector
+  name: Alfa Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
  tags: malware,file
@ -11,7 +11,6 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: binary
        binary:
--- a/Yara-Rules/alienspy-malware.yaml
+++ b/Yara-Rules/alienspy-malware.yaml
@ -1,9 +1,9 @@
-id: malware_alienspy
+id: alienspy-malware
 info:
-  name: AlienSpy Malware Detector
+  name: AlienSpy Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "META-INF/MANIFEST.MF"
          - "ePK"
--- a/Yara-Rules/alina-malware.yaml
+++ b/Yara-Rules/alina-malware.yaml
@ -1,9 +1,9 @@
-id: malware_alina
+id: alina-malware
 info:
-  name: Alina Malware Detector
+  name: Alina Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Alina.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'Alina v1.0'
          - 'POST'
--- a/Yara-Rules/alpha-malware.yaml
+++ b/Yara-Rules/alpha-malware.yaml
@ -1,9 +1,9 @@
-id: malware_alpha
+id: alpha-malware
 info:
-  name: Alpha Malware Detector
+  name: Alpha Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
  tags: malware,file
--- a/Yara-Rules/andromeda-malware.yaml
+++ b/Yara-Rules/andromeda-malware.yaml
@ -1,9 +1,9 @@
-id: malware_andromeda
+id: andromeda-malware
 info:
-  name: Andromeda Malware Detector
+  name: Andromeda Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Andromeda.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst'
--- a/Yara-Rules/ap0calypse-malware.yaml
+++ b/Yara-Rules/ap0calypse-malware.yaml
@ -1,9 +1,9 @@
-id: malware_ap0calypse
+id: ap0calypse-malware
 info:
-  name: Ap0calypse Malware Detector
+  name: Ap0calypse Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "Ap0calypse"
          - "Sifre"
--- a/Yara-Rules/arcom-malware.yaml
+++ b/Yara-Rules/arcom-malware.yaml
@ -1,9 +1,9 @@
-id: malware_arcom
+id: arcom-malware
 info:
-  name: Arcom Malware Detector
+  name: Arcom Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "CVu3388fnek3W(3ij3fkp0930di"
          - "ZINGAWI2"
--- a/Yara-Rules/arkei-malware.yaml
+++ b/Yara-Rules/arkei-malware.yaml
@ -1,9 +1,9 @@
-id: malware_arkei
+id: arkei-malware
 info:
-  name: Arkei Malware Detector
+  name: Arkei Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Arkei.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'Arkei'
          - '/server/gate'
--- a/Yara-Rules/backoff-malware.yaml
+++ b/Yara-Rules/backoff-malware.yaml
@ -1,9 +1,9 @@
-id: malware_backoff
+id: backoff-malware
 info:
-  name: Backoff Malware Detector
+  name: Backoff Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Backoff.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s'
          - '%s @ %s'
--- a/Yara-Rules/bandook-malware.yaml
+++ b/Yara-Rules/bandook-malware.yaml
@ -1,9 +1,9 @@
-id: malware_bandook
+id: bandook-malware
 info:
-  name: Bandook Malware Detector
+  name: Bandook Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "aaaaaa1|"
          - "aaaaaa2|"
--- a/Yara-Rules/blacknix-malware.yaml
+++ b/Yara-Rules/blacknix-malware.yaml
@ -1,9 +1,9 @@
-id: malware_blacknix
+id: blacknix-malware
 info:
-  name: BlackNix Malware Detector
+  name: BlackNix Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "SETTINGS"
          - "Mark Adler"
--- a/Yara-Rules/blackworm-malware.yaml
+++ b/Yara-Rules/blackworm-malware.yaml
@ -1,9 +1,9 @@
-id: malware_blackworm
+id: blackworm-malware
 info:
-  name: Blackworm Malware Detector
+  name: Blackworm Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_BlackWorm.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'm_ComputerObjectProvider'
          - 'MyWebServices'
--- a/Yara-Rules/bluebanana-malware.yaml
+++ b/Yara-Rules/bluebanana-malware.yaml
@ -1,9 +1,9 @@
-id: malware_bluebanana
+id: bluebanana-malware
 info:
-  name: BlueBanana Malware Detector
+  name: BlueBanana Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "META-INF"
          - "config.txt"
--- a/Yara-Rules/bozok-malware.yaml
+++ b/Yara-Rules/bozok-malware.yaml
@ -1,9 +1,9 @@
-id: malware_bozok
+id: bozok-malware
 info:
-  name: Bozok Malware Detector
+  name: Bozok Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "getVer"
          - "StartVNC"
--- a/Yara-Rules/bublik-malware.yaml
+++ b/Yara-Rules/bublik-malware.yaml
@ -1,9 +1,9 @@
-id: malware_bublik
+id: bublik-malware
 info:
  name: Bublik Malware Detector
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Bublik.yar
  tags: malware,file
@ -11,7 +11,6 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: binary
        binary:
--- a/Yara-Rules/cap-hookexkeylogger-malware.yaml
+++ b/Yara-Rules/cap-hookexkeylogger-malware.yaml
@ -1,9 +1,9 @@
-id: malware_cap_hookexkeylogger
+id: cap-hookexkeylogger-malware
 info:
-  name: CAP HookExKeylogger Malware Detector
+  name: CAP HookExKeylogger Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "SetWindowsHookEx"
          - "WH_KEYBOARD_LL"
@ -21,6 +22,7 @@ file:
        case-insensitive: true
      - type: word
        part: raw
        words:
          - "SetWindowsHookEx"
          - "WH_KEYBOARD"
@ -28,6 +30,7 @@ file:
        case-insensitive: true
      - type: word
        part: raw
        words:
          - "WH_KEYBOARD"
          - "WH_KEYBOARD_LL"
--- a/Yara-Rules/cerberus-malware.yaml
+++ b/Yara-Rules/cerberus-malware.yaml
@ -1,9 +1,9 @@
-id: malware_cerberus
+id: cerberus-malware
 info:
-  name: Cerberus Malware Detector
+  name: Cerberus Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "Ypmw1Syv023QZD"
          - "wZ2pla"
@ -21,6 +22,7 @@ file:
        condition: or
      - type: word
        part: raw
        words:
          - "cerberus"
        case-insensitive: true
--- a/Yara-Rules/clientmesh-malware.yaml
+++ b/Yara-Rules/clientmesh-malware.yaml
@ -1,9 +1,9 @@
-id: malware_clientmesh
+id: clientmesh-malware
 info:
-  name: ClientMesh Malware Detector
+  name: ClientMesh Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "machinedetails"
          - "MySettings"
--- a/Yara-Rules/crimson-malware.yaml
+++ b/Yara-Rules/crimson-malware.yaml
@ -1,9 +1,9 @@
-id: malware_crimson
+id: crimson-malware
 info:
-  name: Crimson Malware Detector
+  name: Crimson Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "com/crimson/PK"
          - "com/crimson/bootstrapJar/PK"
--- a/Yara-Rules/cryptxxx-dropper-malware.yaml
+++ b/Yara-Rules/cryptxxx-dropper-malware.yaml
@ -1,9 +1,9 @@
-id: malware_cryptxxx_dropper
+id: cryptxxx-dropper-malware
 info:
-  name: CryptXXX Dropper Malware Detector
+  name: CryptXXX Dropper Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
  tags: malware,file
@ -11,9 +11,8 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
-      - type: binary #Dropper
+      - type: binary
        binary:
          - "50653157584346765962486F35"
          - "43003A005C0042004900450052005C0051006D006B004E0052004C00460000"
--- a/Yara-Rules/cryptxxx-malware.yaml
+++ b/Yara-Rules/cryptxxx-malware.yaml
@ -1,9 +1,9 @@
-id: malware_cryptxxx
+id: cryptxxx-malware
 info:
-  name: CryptXXX Malware Detector
+  name: CryptXXX Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
  tags: malware,file
@ -11,7 +11,6 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: binary
        binary:
--- a/Yara-Rules/cxpid-malware.yaml
+++ b/Yara-Rules/cxpid-malware.yaml
@ -1,9 +1,9 @@
-id: malware_cxpid
+id: cxpid-malware
 info:
-  name: Cxpid Malware Detector
+  name: Cxpid Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cxpid.yar
  tags: malware,file
@ -13,7 +13,8 @@ file:
    matchers-condition: or
    matchers:
-      - type: word #cxpidStrings
+      - type: word
        part: raw
        words:
          - '/cxpid/submit.php?SessionID='
          - '/cxgid/'
@ -21,6 +22,6 @@ file:
          - 'E21BC52BEA39E435C40CD8'
          - '                   -,L-,O+,Q-,R-,Y-,S-'
-      - type: binary #cxpidCode
+      - type: binary
        binary:
          - "558BECB9380400006A006A004975F9"
--- a/Yara-Rules/cythosia-malware.yaml
+++ b/Yara-Rules/cythosia-malware.yaml
@ -1,9 +1,9 @@
-id: malware_cythosia
+id: cythosia-malware
 info:
-  name: Cythosia Malware Detector
+  name: Cythosia Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cythosia.yar
  tags: malware,file
@ -11,8 +11,8 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'HarvesterSocksBot.Properties.Resources'
--- a/Yara-Rules/darkrat-malware.yaml
+++ b/Yara-Rules/darkrat-malware.yaml
@ -1,9 +1,9 @@
-id: malware_darkrat
+id: darkrat-malware
 info:
-  name: DarkRAT Malware Detector
+  name: DarkRAT Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "@1906dark1996coder@"
          - "SHEmptyRecycleBinA"
--- a/Yara-Rules/ddostf-malware.yaml
+++ b/Yara-Rules/ddostf-malware.yaml
@ -1,9 +1,9 @@
-id: malware_ddostf
+id: ddostf-malware
 info:
-  name: DDoSTf Malware Detector
+  name: DDoSTf Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DDoSTf.yar
@ -16,6 +16,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'ddos.tf'
          - 'Accept-Language: zh'
@ -24,6 +25,6 @@ file:
      - type: binary
        binary:
-          - 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00' #TCP_KEEPINTVL
+          - 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00'
-          - 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00' #TCP_KEEPCNT
+          - 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00'
        condition: and
--- a/Yara-Rules/derkziel-malware.yaml
+++ b/Yara-Rules/derkziel-malware.yaml
@ -1,9 +1,9 @@
-id: malware_derkziel
+id: derkziel-malware
 info:
-  name: Derkziel Malware Detector
+  name: Derkziel Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://bhf.su/threads/137898/
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Derkziel.yar
@ -13,9 +13,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - '{!}DRZ{!}'
          - 'User-Agent: Uploador'
--- a/Yara-Rules/dexter-malware.yaml
+++ b/Yara-Rules/dexter-malware.yaml
@ -1,9 +1,9 @@
-id: malware_dexter
+id: dexter-malware
 info:
-  name: Dexter Malware Detector
+  name: Dexter Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Dexter.yar
    - http://goo.gl/oBvy8b
@ -13,9 +13,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'Java Security Plugin'
          - '%s\\%s\\%s.exe'
--- a/Yara-Rules/diamondfox-malware.yaml
+++ b/Yara-Rules/diamondfox-malware.yaml
@ -1,9 +1,9 @@
-id: malware_diamondfox
+id: diamondfox-malware
 info:
-  name: DiamondFox Malware Detector
+  name: DiamondFox Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DiamondFox.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'UPDATE_B'
          - 'UNISTALL_B'
--- a/Yara-Rules/dmalocker-malware.yaml
+++ b/Yara-Rules/dmalocker-malware.yaml
@ -1,9 +1,9 @@
-id: malware_dmalocker
+id: dmalocker-malware
 info:
-  name: DMA Locker Malware Detector
+  name: DMA Locker Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar
  tags: malware,file
@ -18,4 +18,5 @@ file:
          - "21444d414c4f434b"
          - "21444d414c4f434b332e30"
          - "3F520000FFFFFFFF06000000524C4141"
-          - "21444d414c4f434b342e30" #v4
+          - "21444d414c4f434b342e30"
        condition: or
--- a/Yara-Rules/doublepulsar-malware.yaml
+++ b/Yara-Rules/doublepulsar-malware.yaml
@ -1,9 +1,9 @@
-id: malware_doublepulsar
+id: doublepulsar-malware
 info:
-  name: DoublePulsar Malware Detector
+  name: DoublePulsar Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar
  tags: malware,file
@ -14,5 +14,6 @@ file:
    matchers:
      - type: binary
        binary:
-          - "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE" #xor
+          - "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE"
-          - "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741" #dll
+          - "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741"
        condition: or
--- a/Yara-Rules/eicar-malware.yaml
+++ b/Yara-Rules/eicar-malware.yaml
@ -1,9 +1,9 @@
-id: malware_eicar
+id: eicar-malware
 info:
-  name: Eicar Malware Detector
+  name: Eicar Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Eicar.yar
  tags: malware,file
@ -13,5 +13,6 @@ file:
    matchers:
      - type: word
        part: raw
        words:
          - "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
--- a/Yara-Rules/erebus-malware.yaml
+++ b/Yara-Rules/erebus-malware.yaml
@ -1,9 +1,9 @@
-id: malware_erebus
+id: erebus-malware
 info:
-  name: Erebus Malware Detector
+  name: Erebus Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log"
          - "EREBUS IS BEST."
--- a/Yara-Rules/ezcob-malware.yaml
+++ b/Yara-Rules/ezcob-malware.yaml
@ -1,9 +1,9 @@
-id: malware_ezcob
+id: ezcob-malware
 info:
-  name: Ezcob Malware Detector
+  name: Ezcob Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Ezcob.yar
  tags: malware,file
@ -13,9 +13,11 @@ file:
    matchers:
      - type: word
        part: raw
        words:
          - '\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12'
          - '\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12'
          - 'Ezcob'
          - 'l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126'
          - '20110113144935'
        condition: or
--- a/Yara-Rules/fudcrypt-malware.yaml
+++ b/Yara-Rules/fudcrypt-malware.yaml
@ -1,9 +1,9 @@
-id: malware_fudcrypt
+id: fudcrypt-malware
 info:
-  name: FUDCrypt Malware Detector
+  name: FUDCrypt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/gigajew/FudCrypt/
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FUDCrypt.yar
@ -15,6 +15,7 @@ file:
    matchers:
      - type: word
        part: raw
        words:
          - 'OcYjzPUtJkNbLOABqYvNbvhZf'
          - 'gwiXxyIDDtoYzgMSRGMckRbJi'
--- a/Yara-Rules/gafgyt-bash-malware.yaml
+++ b/Yara-Rules/gafgyt-bash-malware.yaml
@ -1,9 +1,9 @@
-id: malware_gafgyt_bash
+id: gafgyt-bash-malware
 info:
-  name: Gafgyt Malware Detector
+  name: Gafgyt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'PONG!'
          - 'GETLOCALIP'
--- a/Yara-Rules/gafgyt-generic-malware.yaml
+++ b/Yara-Rules/gafgyt-generic-malware.yaml
@ -1,9 +1,9 @@
-id: malware_gafgyt_generic
+id: gafgyt-generic-malware
 info:
-  name: Gafgyt Malware Detector
+  name: Gafgyt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "/bin/busybox;echo -e 'gayfgt'"
          - '/proc/net/route'
--- a/Yara-Rules/gafgyt-hihi-malware.yaml
+++ b/Yara-Rules/gafgyt-hihi-malware.yaml
@ -1,9 +1,9 @@
-id: malware_gafgyt_hihi
+id: gafgyt-hihi-malware
 info:
-  name: Gafgyt Malware Detector
+  name: Gafgyt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'PING'
          - 'PONG'
--- a/Yara-Rules/gafgyt-hoho-malware.yaml
+++ b/Yara-Rules/gafgyt-hoho-malware.yaml
@ -1,9 +1,9 @@
-id: malware_gafgyt_hoho
+id: gafgyt-hoho-malware
 info:
-  name: Gafgyt Malware Detector
+  name: Gafgyt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'PING'
          - 'PRIVMSG'
--- a/Yara-Rules/gafgyt-jackmy-malware.yaml
+++ b/Yara-Rules/gafgyt-jackmy-malware.yaml
@ -1,9 +1,9 @@
-id: malware_gafgyt_jackmy
+id: gafgyt-jackmy-malware
 info:
-  name: Gafgyt Malware Detector
+  name: Gafgyt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'PING'
          - 'PONG'
--- a/Yara-Rules/gafgyt-oh-malware.yaml
+++ b/Yara-Rules/gafgyt-oh-malware.yaml
@ -1,9 +1,9 @@
-id: malware_gafgyt_oh
+id: gafgyt-oh-malware
 info:
-  name: Gafgyt Malware Detector
+  name: Gafgyt Oh Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'busyboxterrorist'
          - 'BOGOMIPS'
--- a/Yara-Rules/genome-malware.yaml
+++ b/Yara-Rules/genome-malware.yaml
@ -1,9 +1,9 @@
-id: malware_genome
+id: genome-malware
 info:
-  name: Genome Malware Detector
+  name: Genome Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Genome.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - 'Attempting to create more than one keyboard::Monitor instance'
          - '{Right windows}'
--- a/Yara-Rules/glass-malware.yaml
+++ b/Yara-Rules/glass-malware.yaml
@ -1,9 +1,9 @@
-id: malware_glass
+id: glass-malware
 info:
-  name: Glass Malware Detector
+  name: Glass Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "PostQuitMessage"
          - "pwlfnn10,gzg"
--- a/Yara-Rules/glasses-malware.yaml
+++ b/Yara-Rules/glasses-malware.yaml
@ -1,9 +1,9 @@
-id: malware_glasses
+id: glasses-malware
 info:
-  name: Glasses Malware Detector
+  name: Glasses Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Glasses.yar
@ -15,14 +15,15 @@ file:
    matchers-condition: and
    matchers:
-      - type: word #GlassesStrings
+      - type: word
        part: raw
        words:
          - 'thequickbrownfxjmpsvalzydg'
          - 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)'
          - '" target="NewRef"></a>'
        condition: and
-      - type: binary #GlassesCode
+      - type: binary
        binary:
          - "B8ABAAAAAAF7E1D1EA8D04522BC8"
          - "B856555555F7E98B4C241C8BC2C1E81F03D0493BCA"
--- a/Yara-Rules/gozi-malware.yaml
+++ b/Yara-Rules/gozi-malware.yaml
@ -1,9 +1,9 @@
-id: malware_gozi
+id: gozi-malware
 info:
-  name: Gozi Malware Detector
+  name: Gozi Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gozi.yar
--- a/Yara-Rules/gpgqwerty-malware.yaml
+++ b/Yara-Rules/gpgqwerty-malware.yaml
@ -1,9 +1,9 @@
-id: malware_gpgqwerty
+id: gpgqwerty-malware
 info:
-  name: GPGQwerty Malware Detector
+  name: GPGQwerty Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "gpg.exe –recipient qwerty  -o"
          - "%s%s.%d.qwerty"
--- a/Yara-Rules/greame-malware.yaml
+++ b/Yara-Rules/greame-malware.yaml
@ -1,9 +1,9 @@
-id: malware_greame
+id: greame-malware
 info:
-  name: Greame Malware Detector
+  name: Greame Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "EditSvr"
          - "TLoader"
--- a/Yara-Rules/grozlex-malware.yaml
+++ b/Yara-Rules/grozlex-malware.yaml
@ -1,9 +1,9 @@
-id: malware_grozlex
+id: grozlex-malware
 info:
-  name: Grozlex Malware Detector
+  name: Grozlex Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Grozlex.yar
--- a/Yara-Rules/hawkeye-malware.yaml
+++ b/Yara-Rules/hawkeye-malware.yaml
@ -1,9 +1,9 @@
-id: malware_hawkeye
+id: hawkeye-malware
 info:
-  name: HawkEye Malware Detector
+  name: HawkEye Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "HawkEyeKeylogger"
          - "099u787978786"
--- a/Yara-Rules/imminent-malware.yaml
+++ b/Yara-Rules/imminent-malware.yaml
@ -1,9 +1,9 @@
-id: malware_imminent
+id: imminent-malware
 info:
-  name: Imminent Malware Detector
+  name: Imminent Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "DecodeProductKey"
          - "StartHTTPFlood"
@ -25,6 +26,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "<URL>k__BackingField"
          - "<RunHidden>k__BackingField"
--- a/Yara-Rules/infinity-malware.yaml
+++ b/Yara-Rules/infinity-malware.yaml
@ -1,9 +1,9 @@
-id: malware_infinity
+id: infinity-malware
 info:
-  name: Infinity Malware Detector
+  name: Infinity Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "CRYPTPROTECT_PROMPTSTRUCT"
          - "discomouse"
--- a/Yara-Rules/insta11-malware.yaml
+++ b/Yara-Rules/insta11-malware.yaml
@ -1,9 +1,9 @@
-id: malware_insta11
+id: insta11-malware
 info:
-  name: Insta11 Malware Detector
+  name: Insta11 Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Install11.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - 'XTALKER7'
          - 'Insta11 Microsoft'
--- a/Yara-Rules/intel-virtualization-malware.yaml
+++ b/Yara-Rules/intel-virtualization-malware.yaml
@ -1,9 +1,9 @@
-id: malware_intel_virtualization
+id: intel-virtualization-malware
 info:
-  name: Intel Virtualization Malware Detector
+  name: Intel Virtualization Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Intel_Virtualization.yar
  tags: malware,file
@ -22,7 +22,7 @@ file:
          - '6863637574696C732E444C4C'
        condition: and
-      - type: binary # Dynamic dll (malicious)
+      - type: binary
        binary:
          - '483A5C466173745C506C756728686B636D64295C'
          - '646C6C5C52656C656173655C48696A61636B446C6C2E706462'
--- a/Yara-Rules/iotreaper-malware.yaml
+++ b/Yara-Rules/iotreaper-malware.yaml
@ -1,9 +1,9 @@
-id: malware_iotreaper
+id: iotreaper-malware
 info:
-  name: IotReaper Malware Detector
+  name: IotReaper Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_IotReaper.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - 'XTALKER7'
          - 'Insta11 Microsoft'
--- a/Yara-Rules/linux-aesddos-malware.yaml
+++ b/Yara-Rules/linux-aesddos-malware.yaml
@ -1,9 +1,9 @@
-id: malware_linux_aesddos
+id: linux-aesddos-malware
 info:
-  name: Linux AESDDOS Malware Detector
+  name: Linux AESDDOS Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
    - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
@ -16,18 +16,21 @@ file:
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "3AES"
          - "Hacker"
        condition: and
      - type: word
        part: raw
        words:
          - "3AES"
          - "VERSONEX"
        condition: and
      - type: word
        part: raw
        words:
          - "VERSONEX"
          - "Hacker"
--- a/Yara-Rules/linux-billgates-malware.yaml
+++ b/Yara-Rules/linux-billgates-malware.yaml
@ -1,9 +1,9 @@
-id: malware_linux_billgates
+id: linux-billgates-malware
 info:
-  name: Linux BillGates Malware Detector
+  name: Linux BillGates Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
    - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429
@ -13,9 +13,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "12CUpdateGates"
          - "11CUpdateBill"
--- a/Yara-Rules/linux-elknot-malware.yaml
+++ b/Yara-Rules/linux-elknot-malware.yaml
@ -1,9 +1,9 @@
-id: malware_linux_elknot
+id: linux-elknot-malware
 info:
-  name: Linux Elknot Malware Detector
+  name: Linux Elknot Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
    - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099
@ -13,9 +13,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "ZN8CUtility7DeCryptEPciPKci"
          - "ZN13CThreadAttack5StartEP11CCmdMessage"
--- a/Yara-Rules/linux-mrblack-malware.yaml
+++ b/Yara-Rules/linux-mrblack-malware.yaml
@ -1,9 +1,9 @@
-id: malware_linux_mrblack
+id: linux-mrblack-malware
 info:
-  name: Linux MrBlack Malware Detector
+  name: Linux MrBlack Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
    - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
@ -13,9 +13,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "Mr.Black"
          - "VERS0NEX:%s|%d|%d|%s"
--- a/Yara-Rules/linux-tsunami-malware.yaml
+++ b/Yara-Rules/linux-tsunami-malware.yaml
@ -1,9 +1,9 @@
-id: malware_linux_tsunami
+id: linux-tsunami-malware
 info:
-  name: Linux Tsunami Malware Detector
+  name: Linux Tsunami Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
    - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
@ -15,6 +15,7 @@ file:
    matchers:
      - type: word
        part: raw
        words:
          - "PRIVMSG %s :[STD]Hitting %s"
          - "NOTICE %s :TSUNAMI <target> <secs>"
--- a/Yara-Rules/locky-malware.yaml
+++ b/Yara-Rules/locky-malware.yaml
@ -1,9 +1,9 @@
-id: malware_locky
+id: locky-malware
 info:
-  name: Locky Malware Detector
+  name: Locky Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar
  tags: malware,file
--- a/Yara-Rules/lostdoor-malware.yaml
+++ b/Yara-Rules/lostdoor-malware.yaml
@ -1,9 +1,9 @@
-id: malware_lostdoor
+id: lostdoor-malware
 info:
-  name: LostDoor Malware Detector
+  name: LostDoor Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "*mlt* = %"
          - "*ip* = %"
--- a/Yara-Rules/luminositylink-malware.yaml
+++ b/Yara-Rules/luminositylink-malware.yaml
@ -1,9 +1,9 @@
-id: malware_luminositylink
+id: luminositylink-malware
 info:
-  name: LuminosityLink Malware Detector
+  name: LuminosityLink Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "SMARTLOGS"
          - "RUNPE"
--- a/Yara-Rules/luxnet-malware.yaml
+++ b/Yara-Rules/luxnet-malware.yaml
@ -1,9 +1,9 @@
-id: malware_luxnet
+id: luxnet-malware
 info:
-  name: LuxNet Malware Detector
+  name: LuxNet Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "GetHashCode"
          - "Activator"
--- a/Yara-Rules/macgyver-installer-malware.yaml
+++ b/Yara-Rules/macgyver-installer-malware.yaml
@ -1,9 +1,9 @@
-id: malware_macgyver_installer
+id: macgyver-installer-malware
 info:
-  name: MacGyver.cap Installer Malware Detector
+  name: MacGyver.cap Installer Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
@ -13,9 +13,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "delete -AID 315041592e5359532e4444463031"
          - "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4"
--- a/Yara-Rules/macgyver-malware.yaml
+++ b/Yara-Rules/macgyver-malware.yaml
@ -1,9 +1,9 @@
-id: malware_macgyver
+id: macgyver-malware
 info:
-  name: MacGyver.cap Malware Detector
+  name: MacGyver.cap Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
@ -13,9 +13,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "src/MacGyver/javacard/Header.cap"
          - "src/MacGyver/javacard/Directory.cap"
--- a/Yara-Rules/madness-malware.yaml
+++ b/Yara-Rules/madness-malware.yaml
@ -1,9 +1,9 @@
-id: malware_madness
+id: madness-malware
 info:
-  name: Madness DDOS Malware Detector
+  name: Madness DDOS Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/arbor/yara/blob/master/madness.yara
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Madness.yar
@ -13,9 +13,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
          - "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="
--- a/Yara-Rules/miner--malware.yaml
+++ b/Yara-Rules/miner--malware.yaml
@ -1,9 +1,9 @@
-id: malware_miner
+id: miner-malware
 info:
-  name: Miner Malware Detector
+  name: Miner Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XMRIG_Miner.yar
  tags: malware,file
@ -13,6 +13,7 @@ file:
    matchers:
      - type: word
        part: raw
        words:
          - "stratum+tcp"
          - "stratum+udp"
--- a/Yara-Rules/miniasp3-malware.yaml
+++ b/Yara-Rules/miniasp3-malware.yaml
@ -1,9 +1,9 @@
-id: malware_miniasp3
+id: miniasp3-malware
 info:
-  name: MiniASP3 Malware Detector
+  name: MiniASP3 Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MiniAsp3_mem.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "MiniAsp3\\Release\\MiniAsp.pdb"
          - "http://%s/about.htm"
@ -22,6 +23,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "MiniAsp3\\Release\\MiniAsp.pdb"
          - "http://%s/about.htm"
@ -30,6 +32,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "MiniAsp3\\Release\\MiniAsp.pdb"
          - "http://%s/about.htm"
@ -38,6 +41,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "MiniAsp3\\Release\\MiniAsp.pdb"
          - "http://%s/about.htm"
@ -46,6 +50,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "MiniAsp3\\Release\\MiniAsp.pdb"
          - "http://%s/about.htm"
--- a/Yara-Rules/naikon-malware.yaml
+++ b/Yara-Rules/naikon-malware.yaml
@ -1,9 +1,9 @@
-id: malware_naikon
+id: naikon-malware
 info:
-  name: Naikon Malware Detector
+  name: Naikon Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naikon.yar
  tags: malware,file
@ -21,6 +21,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "NOKIAN95/WEB"
          - "/tag=info&id=15"
--- a/Yara-Rules/naspyupdate-malware.yaml
+++ b/Yara-Rules/naspyupdate-malware.yaml
@ -1,9 +1,9 @@
-id: malware_naspyupdate
+id: naspyupdate-malware
 info:
-  name: nAspyUpdate Malware Detector
+  name: nAspyUpdate Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naspyupdate.yar
  tags: malware,file
@ -18,6 +18,7 @@ file:
          - "8A5424148A0132C202C28801414E75F4"
      - type: word
        part: raw
        words:
          - "\\httpclient.txt"
          - "password <=14"
--- a/Yara-Rules/notepad-malware.yaml
+++ b/Yara-Rules/notepad-malware.yaml
@ -1,9 +1,9 @@
-id: malware_notepad
+id: notepad-malware
 info:
-  name: Notepad v1.1 Malware Detector
+  name: Notepad v1.1 Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Notepad.yar
  tags: malware,file
@ -13,6 +13,7 @@ file:
    matchers:
      - type: word
        part: raw
        words:
          - "75BAA77C842BE168B0F66C42C7885997"
          - "B523F63566F407F3834BCC54AAA32524"
--- a/Yara-Rules/olyx-malware.yaml
+++ b/Yara-Rules/olyx-malware.yaml
@ -1,9 +1,9 @@
-id: malware_olyx
+id: olyx-malware
 info:
-  name: Olyx Malware Detector
+  name: Olyx Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Olyx.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "/Applications/Automator.app/Contents/MacOS/DockLight"
        condition: or
--- a/Yara-Rules/osx-leverage-malware.yaml
+++ b/Yara-Rules/osx-leverage-malware.yaml
@ -1,9 +1,9 @@
-id: malware_osx_leverage
+id: osx-leverage-malware
 info:
-  name: OSX Leverage Malware Detector
+  name: OSX Leverage Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
          - "+:Users:Shared:UserEvent.app:Contents:MacOS:"
--- a/Yara-Rules/paradox-malware.yaml
+++ b/Yara-Rules/paradox-malware.yaml
@ -1,9 +1,9 @@
-id: malware_paradox
+id: paradox-malware
 info:
-  name: Paradox Malware Detector
+  name: Paradox Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "ParadoxRAT"
          - "Form1"
--- a/Yara-Rules/plasma-malware.yaml
+++ b/Yara-Rules/plasma-malware.yaml
@ -1,9 +1,9 @@
-id: malware_plasma
+id: plasma-malware
 info:
-  name: Plasma Malware Detector
+  name: Plasma Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "Miner: Failed to Inject."
          - "Started GPU Mining on:"
--- a/Yara-Rules/poetrat-malware.yaml
+++ b/Yara-Rules/poetrat-malware.yaml
@ -1,9 +1,9 @@
-id: malware_poetrat
+id: poetrat-malware
 info:
-  name: PoetRat Malware Detector
+  name: PoetRat Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "launcher.py"
          - "smile.zip"
--- a/Yara-Rules/pony-malware.yaml
+++ b/Yara-Rules/pony-malware.yaml
@ -1,9 +1,9 @@
-id: malware_pony
+id: pony-malware
 info:
-  name: Pony Malware Detector
+  name: Pony Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Pony.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}"
          - "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
--- a/Yara-Rules/pubsab-malware.yaml
+++ b/Yara-Rules/pubsab-malware.yaml
@ -1,9 +1,9 @@
-id: malware_pubsab
+id: pubsab-malware
 info:
-  name: PubSab Malware Detector
+  name: PubSab Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PubSab.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "_deamon_init"
          - "com.apple.PubSabAgent"
--- a/Yara-Rules/punisher-malware.yaml
+++ b/Yara-Rules/punisher-malware.yaml
@ -1,9 +1,9 @@
-id: malware_punisher
+id: punisher-malware
 info:
-  name: Punisher Malware Detector
+  name: Punisher Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "abccba"
          - "SpyTheSpy"
--- a/Yara-Rules/pypi-malware.yaml
+++ b/Yara-Rules/pypi-malware.yaml
@ -1,9 +1,9 @@
-id: malware_pypi
+id: pypi-malware
 info:
-  name: Fake PyPI Malware Detector
+  name: Fake PyPI Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PyPI.yar
@ -13,9 +13,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "# Welcome Here! :)"
          - "# just toy, no harm :)"
--- a/Yara-Rules/pythorat-malware.yaml
+++ b/Yara-Rules/pythorat-malware.yaml
@ -1,9 +1,9 @@
-id: malware_pythorat
+id: pythorat-malware
 info:
-  name: PythoRAT Malware Detector
+  name: PythoRAT Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -11,9 +11,9 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
      - type: word
        part: raw
        words:
          - "TKeylogger"
          - "uFileTransfer"
--- a/Yara-Rules/qrat-malware.yaml
+++ b/Yara-Rules/qrat-malware.yaml
@ -1,9 +1,9 @@
-id: malware_qrat
+id: qrat-malware
 info:
-  name: QRat Malware Detector
+  name: QRat Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "quaverse/crypter"
          - "Qrypt.class"
@ -22,6 +23,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "e-data"
          - "Qrypt.class"
@ -38,6 +40,7 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "e-data"
          - "quaverse/crypter"
--- a/Yara-Rules/satana-dropper-malware.yaml
+++ b/Yara-Rules/satana-dropper-malware.yaml
@ -1,9 +1,9 @@
-id: malware_satana_dropper
+id: satana-dropper-malware
 info:
-  name: Satana Dropper Malware Detector
+  name: Satana Dropper Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar
  tags: malware,file
@ -11,9 +11,8 @@ file:
  - extensions:
      - all
    matchers-condition: and
    matchers:
-      - type: binary #Dropper
+      - type: binary
        binary:
          - "25732D547279457863657074"
          - "643A5C6C626574776D77795C75696A657571706C667775622E706462"
--- a/Yara-Rules/satana-malware.yaml
+++ b/Yara-Rules/satana-malware.yaml
@ -1,9 +1,9 @@
-id: malware_satana
+id: satana-malware
 info:
-  name: Satana Malware Detector
+  name: Satana Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
  tags: malware,file
--- a/Yara-Rules/shimrat-malware.yaml
+++ b/Yara-Rules/shimrat-malware.yaml
@ -1,9 +1,9 @@
-id: malware_shimrat
+id: shimrat-malware
 info:
-  name: ShimRat Malware Detector
+  name: ShimRat Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar
  tags: malware,file
@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - ".dll"
          - ".dat"
@ -22,12 +23,14 @@ file:
        condition: and
      - type: word
        part: raw
        words:
          - "Data$$00"
          - "Data$$01%c%sData"
        condition: and
      - type: word
        part: raw
        words:
          - "ping localhost -n 9 /c %s > nul"
          - "Demo"
--- a/Show More
+++ b/Show More