Merge pull request #868 from avast/LZ_Installer_Viseman

Added YARA rule for VISEMAN installer
2025-02-25 16:21:01 +00:00 · 2020-10-14 07:25:42 +02:00 · 2020-10-14 07:25:42 +02:00 · c3df2c4806
commit c3df2c4806
parent ab54a03e97 467a82a82f
1 changed files with 10 additions and 0 deletions
--- a/support/yara_patterns/tools/pe/x86/installers.yara
+++ b/support/yara_patterns/tools/pe/x86/installers.yara
@ -642,6 +642,16 @@ rule thinstall_3348_3350_vs {
 		$1 at pe.entry_point
 }

+rule viseman {
+	meta:
+		tool = "I"
+		name = "Viseman Installer"
+	condition:
+		pe.overlay.offset != 0 and
+		pe.overlay.size > 4 and
+		uint32(pe.overlay.offset) == 0x56495345     // Reversed "VISE"
+}
+
 rule wise_installer_uv_01 {
 	meta:
 		tool = "I"