From 467a82a82f5428203ee8a9a73df53270b314f9ef Mon Sep 17 00:00:00 2001
From: Ladislav Zezula <ladislav.zezula@avast.com>
Date: Tue, 13 Oct 2020 16:39:01 +0200
Subject: [PATCH] Added YARA rule for VISEMAN installer

---
 support/yara_patterns/tools/pe/x86/installers.yara | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara
index 27ba2e89b..8721a2a48 100644
--- a/support/yara_patterns/tools/pe/x86/installers.yara
+++ b/support/yara_patterns/tools/pe/x86/installers.yara
@@ -642,6 +642,16 @@ rule thinstall_3348_3350_vs {
 		$1 at pe.entry_point
 }
 
+rule viseman {
+	meta:
+		tool = "I"
+		name = "Viseman Installer"
+	condition:
+		pe.overlay.offset != 0 and
+		pe.overlay.size > 4 and
+		uint32(pe.overlay.offset) == 0x56495345     // Reversed "VISE"
+}
+
 rule wise_installer_uv_01 {
 	meta:
 		tool = "I"