Merge pull request avast#852 from avast/LZ_Installers

Added YARA rule for CreateInstall installer
dptug · Sep 17, 2020 · c59b304 · c59b304
2 parents 126483c + 876c017
commit c59b304
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara
@@ -51,6 +51,21 @@ rule astrum_uv_02 {
 		$1 and astrum_strings
 }
 
+rule create_install {
+	meta:
+		tool = "I"
+		name = "CreateInstall"
+	strings:
+		$s01 = "Gentee Launcher"
+	condition:
+		pe.sections[pe.number_of_sections - 2].name == ".gentee" and
+		pe.overlay.size != 0 and
+		pe.resources[pe.number_of_resources-1].type == pe.RESOURCE_TYPE_MANIFEST and
+		pe.resources[pe.number_of_resources-2].name_string == "S\x00E\x00T\x00U\x00P\x00_\x00I\x00C\x00O\x00N\x00" and   // "SETUP_ICON"
+		pe.resources[pe.number_of_resources-3].name_string == "S\x00E\x00T\x00U\x00P\x00_\x00T\x00E\x00M\x00P\x00" and   // "SETUP_TEMP"
+		all of them
+}
+
 rule kgb_sfx {
 	meta:
 		tool = "I"