From 876c01767262210469c0fcca4c89fb8f76401e19 Mon Sep 17 00:00:00 2001
From: Ladislav Zezula <ladislav.zezula@avast.com>
Date: Wed, 16 Sep 2020 18:17:19 +0200
Subject: [PATCH] Added YARA rule for CreateInstall installer

---
 .../yara_patterns/tools/pe/x86/installers.yara    | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara
index 32ce91e2c..3098f6fba 100644
--- a/support/yara_patterns/tools/pe/x86/installers.yara
+++ b/support/yara_patterns/tools/pe/x86/installers.yara
@@ -51,6 +51,21 @@ rule astrum_uv_02 {
 		$1 and astrum_strings
 }
 
+rule create_install {
+	meta:
+		tool = "I"
+		name = "CreateInstall"
+	strings:
+		$s01 = "Gentee Launcher"
+	condition:
+		pe.sections[pe.number_of_sections - 2].name == ".gentee" and
+		pe.overlay.size != 0 and
+		pe.resources[pe.number_of_resources-1].type == pe.RESOURCE_TYPE_MANIFEST and
+		pe.resources[pe.number_of_resources-2].name_string == "S\x00E\x00T\x00U\x00P\x00_\x00I\x00C\x00O\x00N\x00" and   // "SETUP_ICON"
+		pe.resources[pe.number_of_resources-3].name_string == "S\x00E\x00T\x00U\x00P\x00_\x00T\x00E\x00M\x00P\x00" and   // "SETUP_TEMP"
+		all of them
+}
+
 rule kgb_sfx {
 	meta:
 		tool = "I"