Mirrors/cert-orangecyberdefense-cti
1
0
Fork 0
mirror of https://github.com/cert-orangecyberdefense/cti synced 2026-06-11 07:51:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create yara emmenhtalv3

Browse Source
This commit is contained in:
Mar-Pic
2025-03-14 09:09:43 +01:00
committed by GitHub
parent 60cf82992f
commit 2825aeefeb
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
emmenhtal/yara emmenhtalv3
+23
View File
@@ -0,0 +1,23 @@
rule Windows_Trojan_Emmenhtal_3 : malware {
meta:
description = "Emmenhtal v3, March 2025 version"
researcher = "Alexandre MATOUSEK"
source = "OCD"
creation_date = "09/03/2025"
os = "Windows"
category = "Trojan"
product = "p2a, mfd"
threat_name = "Windows.Trojan.Emmenhtal"
samples = "None"
strings:
$ = "<script>window.moveTo("
$ = "<script>window.onerror = function(){return true}</script>"
$ = /= '[0-9A-Fa-f]{2}[a-zA-Z]{1}([0-9A-Fa-f]{2}[a-zA-Z]{1}){99,}/
$ = "<script>window.close()</script>"
$ = "<script>eval("
$ = ".replace(/(..)./g, function(match, p1) {return String.fromCharCode(parseInt(p1, 16))}))</script>"
condition:
all of them
}