From 174f781080123b4bf494600b6f6a5c054719e422 Mon Sep 17 00:00:00 2001
From: Ladislav Zezula <ladislav.zezula@avast.com>
Date: Fri, 18 Sep 2020 10:27:30 +0200
Subject: [PATCH] Added YARA rule for Gentee Installer

---
 support/yara_patterns/tools/pe/x86/installers.yara | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara
index 9efbb48cc..3c03ef97f 100644
--- a/support/yara_patterns/tools/pe/x86/installers.yara
+++ b/support/yara_patterns/tools/pe/x86/installers.yara
@@ -78,6 +78,20 @@ rule fly_studio {
 		pe.overlay.offset == filesize - uint32(pe.overlay.offset + pe.overlay.size - 8) - 0x08
 }
 
+rule gentee_installer {
+	meta:
+		tool = "I"
+		name = "GenteeInstaller"
+	strings:
+		$s01 = "Gentee installer"
+	condition:
+		pe.overlay.size > 16 and
+		uint32(0x3F0) == pe.overlay.offset and
+		(uint32(0x3F4) + uint32(0x3F8)) <= pe.overlay.size and
+		(uint32(pe.overlay.offset) == uint32(0x3F8)) and
+		$s01 at pe.sections[2].raw_data_offset
+}
+
 rule kgb_sfx {
 	meta:
 		tool = "I"