Added RICH IDs for VS2019 Update 5.

Unicode domains are now correctly found in binaries.
JusticeRage · Mar 17, 2020 · 0e724b3 · 0e724b3
1 parent 9fa4e88
commit 0e724b3
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 9 deletions.
diff --git a/bin/yara_rules/domains.yara b/bin/yara_rules/domains.yara
@@ -22,13 +22,13 @@ rule Domains_URLs
         description = "Contains domain names"
         author = "Sergey Mineev"
     strings:
-        $domain1 = /www\.[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]\.[a-zA-Z]{2,}$/
-        $domain2 = /[a-zA-Z0-9\-\.]{5,}\.(com|org|net|de|uk|fr|ru|info|top|xyz|tk|cn|br|jp|it|ir|nl|ca|au|es|ch|gov|edu|se|us)/ fullword
-        $domain3 = /(https?|ftp):\/\/[\w\-_]+(\.[\w\-_]+)+([\w\-]*[\w\-])?/
-        $domain4 = /(ht|f)tps?\:\/\/[a-zA-Z0-9\-\._]+(\.[a-zA-Z0-9\-\._]+){2,}(\/?)([a-zA-Z0-9\-\.\?\,\'\/\\\+&%\$#_]*)/
-        $domain5 = /https?\:\/\/www.[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3}/ fullword
-        $domain6 = /[a-zA-Z0-9\-\.]+\.[a-zA-Z0-9\-\.]{5,}\.((com|org|net|de|uk|fr|ru|info|top|xyz|tk|cn|br|jp|it|ir|nl|ca|au|es|ch|gov|edu|se|us))/ fullword
-        $domain7 = /[a-zA-Z0-9\-\.]+\.[a-zA-Z0-9\-\.]+\.[a-zA-Z0-9\-\.]{5,}\.(com|org|net|de|uk|fr|ru|info|top|xyz|tk|cn|br|jp|it|ir|nl|ca|au|es|ch|gov|edu|se|us)/ fullword
+        $domain1 = /www\.[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]\.[a-zA-Z]{2,}$/ wide ascii
+        $domain2 = /[a-zA-Z0-9\-\.]{5,}\.(com|org|net|de|uk|fr|ru|info|top|xyz|tk|cn|br|jp|it|ir|nl|ca|au|es|ch|gov|edu|se|us)/ fullword wide ascii
+        $domain3 = /(https?|ftp):\/\/[\w\-_]+(\.[\w\-_]+)+([\w\-]*[\w\-])?/ wide ascii
+        $domain4 = /(ht|f)tps?\:\/\/[a-zA-Z0-9\-\._]+(\.[a-zA-Z0-9\-\._]+){2,}(\/?)([a-zA-Z0-9\-\.\?\,\'\/\\\+&%\$#_]*)/ wide ascii
+        $domain5 = /https?\:\/\/www.[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3}/ fullword wide ascii
+        $domain6 = /[a-zA-Z0-9\-\.]+\.[a-zA-Z0-9\-\.]{5,}\.((com|org|net|de|uk|fr|ru|info|top|xyz|tk|cn|br|jp|it|ir|nl|ca|au|es|ch|gov|edu|se|us))/ fullword wide ascii
+        $domain7 = /[a-zA-Z0-9\-\.]+\.[a-zA-Z0-9\-\.]+\.[a-zA-Z0-9\-\.]{5,}\.(com|org|net|de|uk|fr|ru|info|top|xyz|tk|cn|br|jp|it|ir|nl|ca|au|es|ch|gov|edu|se|us)/ fullword wide ascii
     condition:
 		// Calling C++ code in Manalyze takes care of filtering results in the authenticode signature or RT_MANIFEST resource.
 		// This is needed because Yara reports all matching strings if the condition evaluates to "true", even if some of the strings

diff --git a/manape/nt_values.cpp b/manape/nt_values.cpp
@@ -679,11 +679,13 @@ const flag_dict COMP_ID_PRODID =
                                 ("VS 2015/2017/2019 runtime 27821",            0x6CAD)
                                 ("VS2019 Update 2 (16.2) compiler 27905",      0x6D01)
                                 ("VS2019 Update 3 (16.3) compiler 28107",      0x6DCB)
-                                ("VS 2015/2017/2019 runtime 28127",            0x6DDF)
-                                ("VS2019 Update 4 (16.4.?) compiler 28117",    0x6DD5)
+                                ("VS 2015/2017/2019 runtime 28117",            0x6DD5)
                                 ("VS2019 Update 4 (16.4.0-2) compiler 28314",  0x6E9A)
                                 ("VS2019 Update 4 (16.4.3) compiler 28315",    0x6E9B)
                                 ("VS2019 Update 4 (16.4.4-5) compiler 28316",  0x6E9C)
+                                ("VS2019 Update 4 (16.4.6) compiler 28319",    0x6E9F)
+                                ("VS 2015/2017/2019 runtime 28427",            0x6F0B)
+                                ("VS2019 Update 5 (16.5.0) compiler 28610",    0x6FC2)
     ;
 
 // ----------------------------------------------------------------------------