From 86de9de4abe912a9114d7f6560fa43340d8baf90 Mon Sep 17 00:00:00 2001
From: Mar-Pic <marpic268@gmail.com>
Date: Tue, 18 Feb 2025 15:58:19 +0100
Subject: [PATCH] Create yara emmenhtal

---
 emmenhtal/yara emmenhtal | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 emmenhtal/yara emmenhtal

diff --git a/emmenhtal/yara emmenhtal b/emmenhtal/yara emmenhtal
new file mode 100644
index 0000000..9d15b5b
--- /dev/null
+++ b/emmenhtal/yara emmenhtal	
@@ -0,0 +1,10 @@
+rule EmmenHTAl : malware {
+    strings:
+        $s1 = " = String.fromCharCode("
+        $s2 = ";var "
+        $s3 = "eval("
+        $s4 = "</script>"
+        $s5 = "<HTA:APPLICATION CAPTION = \"no\" WINDOWSTATE = \"minimize\" SHOWINTASKBAR = \"no\" >"
+    condition:
+        all of them
+}