From 0a1f03bf538856fe0d8feb67eb810cbf8f9c8c1d Mon Sep 17 00:00:00 2001
From: Ladislav Zezula <ladislav.zezula@avast.com>
Date: Thu, 17 Sep 2020 15:55:22 +0200
Subject: [PATCH] Added YARA rules for FlyStudio installer

---
 support/yara_patterns/tools/pe/x86/installers.yara | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara
index 3098f6fba..9efbb48cc 100644
--- a/support/yara_patterns/tools/pe/x86/installers.yara
+++ b/support/yara_patterns/tools/pe/x86/installers.yara
@@ -66,6 +66,18 @@ rule create_install {
 		all of them
 }
 
+rule fly_studio {
+	meta:
+		tool = "I"
+		name = "FlyStudio"
+	condition:
+		pe.overlay.size > 16 and
+		uint32(pe.overlay.offset) == 0x829ab7a5 and
+		uint32(pe.overlay.offset + 4) == 0x04 and
+		uint32(pe.overlay.offset + pe.overlay.size - 4) == 0x829ab7a5 and
+		pe.overlay.offset == filesize - uint32(pe.overlay.offset + pe.overlay.size - 8) - 0x08
+}
+
 rule kgb_sfx {
 	meta:
 		tool = "I"