Merge pull request Yara-Rules#426 from KatsuragiCSL/master

Added rule for executables created by pyinstaller on OSX

index.yar

@@ -274,6 +274,7 @@ include "./malware/MALW_PubSab.yar"
 include "./malware/MALW_PurpleWave.yar"
 include "./malware/MALW_PyPI.yar"
 include "./malware/MALW_Pyinstaller.yar"
+include "./malware/MALW_Pyinstaller_OSX.yar"
 include "./malware/MALW_Quarian.yar"
 include "./malware/MALW_Rebirth_Vulcan_ELF.yar"
 include "./malware/MALW_Regsubdat.yar"

malware/MALW_Pyinstaller_OSX.yar

@@ -0,0 +1,15 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule MachO_File_pyinstaller
+{
+    meta:
+        author = "KatsuragiCSL (https://katsuragicsl.github.io)"
+        description = "Detect Mach-O file produced by pyinstaller"
+    strings:
+        $a = "pyi-runtime-tmpdir"
+        $b = "pyi-bootloader-ignore-signals"
+    condition:
+        any of them
+}

malware_index.yar

@@ -215,6 +215,7 @@ include "./malware/MALW_PubSab.yar"
 include "./malware/MALW_PurpleWave.yar"
 include "./malware/MALW_PyPI.yar"
 include "./malware/MALW_Pyinstaller.yar"
+include "./malware/MALW_Pyinstaller_OSX.yar"
 include "./malware/MALW_Quarian.yar"
 include "./malware/MALW_Rebirth_Vulcan_ELF.yar"
 include "./malware/MALW_Regsubdat.yar"