Skip to content

Commit

Permalink
Merge pull request #868 from avast/LZ_Installer_Viseman
Browse files Browse the repository at this point in the history 
Added YARA rule for VISEMAN installer
  • Loading branch information
@s3rvac
s3rvac authored Oct 14, 2020
2 parents ab54a03 + 467a82a commit c3df2c4
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions support/yara_patterns/tools/pe/x86/installers.yara
View file
Original file line number Diff line number Diff line change
Expand Up @@ -642,6 +642,16 @@ rule thinstall_3348_3350_vs {
$1 at pe.entry_point
}

rule viseman {
meta:
tool = "I"
name = "Viseman Installer"
condition:
pe.overlay.offset != 0 and
pe.overlay.size > 4 and
uint32(pe.overlay.offset) == 0x56495345 // Reversed "VISE"
}

rule wise_installer_uv_01 {
meta:
tool = "I"
Expand Down

0 comments on commit c3df2c4

Please sign in to comment.