Merge pull request #855 from avast/LZ_Installers_GenteeInstaller

Added YARA rule for Gentee Installer
avast · Sep 21, 2020 · ee8f4dd · ee8f4dd
2 parents 694b836 + 174f781
commit ee8f4dd
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara
@@ -78,6 +78,20 @@ rule fly_studio {
 		pe.overlay.offset == filesize - uint32(pe.overlay.offset + pe.overlay.size - 8) - 0x08
 }
 
+rule gentee_installer {
+	meta:
+		tool = "I"
+		name = "GenteeInstaller"
+	strings:
+		$s01 = "Gentee installer"
+	condition:
+		pe.overlay.size > 16 and
+		uint32(0x3F0) == pe.overlay.offset and
+		(uint32(0x3F4) + uint32(0x3F8)) <= pe.overlay.size and
+		(uint32(pe.overlay.offset) == uint32(0x3F8)) and
+		$s01 at pe.sections[2].raw_data_offset
+}
+
 rule kgb_sfx {
 	meta:
 		tool = "I"