From 2825aeefeb959d6acf8793edebe918914bfb7243 Mon Sep 17 00:00:00 2001
From: Mar-Pic <marpic268@gmail.com>
Date: Fri, 14 Mar 2025 09:09:43 +0100
Subject: [PATCH] Create yara emmenhtalv3

---
 emmenhtal/yara emmenhtalv3 | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 emmenhtal/yara emmenhtalv3

diff --git a/emmenhtal/yara emmenhtalv3 b/emmenhtal/yara emmenhtalv3
new file mode 100644
index 0000000..9e3b12c
--- /dev/null
+++ b/emmenhtal/yara emmenhtalv3	
@@ -0,0 +1,23 @@
+ rule Windows_Trojan_Emmenhtal_3 : malware {
+    meta:
+        description = "Emmenhtal v3, March 2025 version"
+        researcher = "Alexandre MATOUSEK"
+        source = "OCD"
+        creation_date = "09/03/2025"
+        os = "Windows"
+        category = "Trojan"
+        product = "p2a, mfd"
+        threat_name = "Windows.Trojan.Emmenhtal"
+        samples = "None"
+    strings:
+        $ = "<script>window.moveTo("
+        $ = "<script>window.onerror = function(){return true}</script>"
+        $ = /= '[0-9A-Fa-f]{2}[a-zA-Z]{1}([0-9A-Fa-f]{2}[a-zA-Z]{1}){99,}/
+        $ = "<script>window.close()</script>"
+        $ = "<script>eval("
+        $ = ".replace(/(..)./g, function(match, p1) {return String.fromCharCode(parseInt(p1, 16))}))</script>"
+    condition:
+        all of them
+}
+ 
+