From f8653616ec218c7e7adb7a387f5448ac2c1fe9fc Mon Sep 17 00:00:00 2001
From: Mar-Pic <marpic268@gmail.com>
Date: Tue, 18 Feb 2025 15:58:00 +0100
Subject: [PATCH] Create yara emmenhtalv2

---
 emmenhtal/yara emmenhtalv2 | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 emmenhtal/yara emmenhtalv2

diff --git a/emmenhtal/yara emmenhtalv2 b/emmenhtal/yara emmenhtalv2
new file mode 100644
index 0000000..d85aaae
--- /dev/null
+++ b/emmenhtal/yara emmenhtalv2	
@@ -0,0 +1,19 @@
+rule Windows_Trojan_Emmenhtalv2 : malware {
+    meta:
+        description = "Emmenhtal new version, data stage"
+        researcher = "Alexandre MATOUSEK"
+        source = "OCD"
+        creation_date = "18/12/2024"
+        os = "Windows"
+        category = "Trojan"
+        threat_name = "Windows.Trojan.Emmenhtal"
+    strings:
+        $ = "<script>window.moveTo(9999,0)</script>"
+        $ = "<script>window.onerror = function(){return true}</script>"
+        $ = " = document.documentElement.outerHTML;</script>"
+        $ = "<script>window.close()</script>"
+        $ = "<script>eval("
+        $ = ".replace(/(..)./g, function(match, p1) {return String.fromCharCode(parseInt(p1, 16))}))</script>"
+    condition:
+        all of them
+}