Merge pull request #853 from avast/LZ_Installers_FlyStudio

Added YARA rules for FlyStudio installer
avast · Sep 18, 2020 · 5a455d7 · 5a455d7
2 parents f3cbd33 + 0a1f03b
commit 5a455d7
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara
@@ -66,6 +66,18 @@ rule create_install {
 		all of them
 }
 
+rule fly_studio {
+	meta:
+		tool = "I"
+		name = "FlyStudio"
+	condition:
+		pe.overlay.size > 16 and
+		uint32(pe.overlay.offset) == 0x829ab7a5 and
+		uint32(pe.overlay.offset + 4) == 0x04 and
+		uint32(pe.overlay.offset + pe.overlay.size - 4) == 0x829ab7a5 and
+		pe.overlay.offset == filesize - uint32(pe.overlay.offset + pe.overlay.size - 8) - 0x08
+}
+
 rule kgb_sfx {
 	meta:
 		tool = "I"