From c310617cc87681681daefe14975f44ccd627a8cd Mon Sep 17 00:00:00 2001
From: Dadda97 <40720349+Dadda97@users.noreply.github.com>
Date: Mon, 26 Jul 2021 17:39:55 +0200
Subject: [PATCH] Modified Visual Basic's Yara rule

---
 .../yara_patterns/tools/pe/x86/compilers.yara | 79 ++-----------------
 1 file changed, 6 insertions(+), 73 deletions(-)

diff --git a/support/yara_patterns/tools/pe/x86/compilers.yara b/support/yara_patterns/tools/pe/x86/compilers.yara
index 2bdf74030..cc8d0f37e 100644
--- a/support/yara_patterns/tools/pe/x86/compilers.yara
+++ b/support/yara_patterns/tools/pe/x86/compilers.yara
@@ -1951,89 +1951,22 @@ rule ms_fortran {
 		$1 at pe.entry_point
 }
 
-rule ms_visual_basic_50_60_01 {
-	meta:
-		tool = "C"
-		name = "Microsoft Visual Basic"
-		version = "5.0 - 6.0"
-		pattern = "68????????E8????????00000000000030000000"
-	strings:
-		$1 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 00 00 00 00 00 00 30 00 00 00 }
-	condition:
-		$1 at pe.entry_point
-}
-
-rule ms_visual_basic_50_60_02 {
-	meta:
-		tool = "C"
-		name = "Microsoft Visual Basic"
-		version = "5.0 - 6.0"
-		pattern = "FF25????????????68????????E8??FFFFFF"
-	strings:
-		$1 = { FF 25 ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? FF FF FF }
-	condition:
-		$1 at pe.entry_point
-}
-
-rule ms_visual_basic_50_01 {
-	meta:
-		tool = "C"
-		name = "Microsoft Visual Basic"
-		version = "5.0"
-		pattern = "FFFFFF0000000000003000000040000000000000"
-		start = 7
-	strings:
-		$1 = { FF FF FF 00 00 00 00 00 00 30 00 00 00 40 00 00 00 00 00 00 }
-	condition:
-		$1 at pe.entry_point + 7
-}
-
-rule ms_visual_basic_50_02 {
-	meta:
-		tool = "C"
-		name = "Microsoft Visual Basic"
-		version = "5.0"
-		pattern = "FFFFFF0000000000003000000040000000000000"
-	strings:
-		$1 = { FF FF FF 00 00 00 00 00 00 30 00 00 00 40 00 00 00 00 00 00 }
-	condition:
-		$1 at pe.entry_point
-}
-
-rule ms_visual_basic_60_01 {
-	meta:
-		tool = "C"
-		name = "Microsoft Visual Basic"
-		version = "6.0"
-		pattern = "5A68????????68????????52E9????FF"
-	strings:
-		$1 = { 5A 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E9 ?? ?? FF }
-	condition:
-		$1 at pe.entry_point
-}
-
-rule ms_visual_basic_60_02 {
+rule ms_visual_basic_60 {
 	meta:
 		tool = "C"
 		name = "Microsoft Visual Basic"
 		version = "6.0"
-		pattern = "5A68????????68????????52E9????????000000??00000030000000??000000??000000"
-	strings:
-		$1 = { 5A 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E9 ?? ?? ?? ?? 00 00 00 ?? 00 00 00 30 00 00 00 ?? 00 00 00 ?? 00 00 00 }
-	condition:
-		$1 at pe.entry_point
+    condition:
+		pe.imports("msvbvm60.dll", 100) or pe.imports("msvbvm60.dll", "ThunRTMain")
 }
 
-rule ms_visual_basic_60_03 {
+rule ms_visual_basic_50 {
 	meta:
 		tool = "C"
 		name = "Microsoft Visual Basic"
-		version = "6.0"
-		pattern = "FF25????????68????????E8??FFFFFF????????????30"
-	strings:
-		$1 = { FF 25 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? FF FF FF ?? ?? ?? ?? ?? ?? 30 }
+		version = "5.0"
 	condition:
-		$1 at pe.entry_point
+		pe.imports("msvbvm50.dll", 100) or pe.imports("msvbvm50.dll", "ThunRTMain")
 }
 
 rule dotnet_01 {