YARAhub

You are currently viewing the YARAhub entry of the YARA rule MALWARE_Emotet_OneNote_Delivery_js_Mar23. Depending on the TLP classification of this YARA rule chosen by the author, further information about this YARA rule is available below.

YARA Rule Details: MALWARE_Emotet_OneNote_Delivery_js_Mar23

YARA Rule Content Copy Download

The content of the YARA rule is shown below.

rule MALWARE_Emotet_OneNote_Delivery_js_Mar23
{
	meta:
		author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
		description = "Detects Microsoft OneNote files used to deliver Emotet (.js Payload)"
		reference = "https://twitter.com/bomccss/status/1636746149855121411"
		date = "2023-03-17"
		tlp = "CLEAR"
		hash = "a43e0864905fe7afd6d8dbf26bd27d898a2effd386e81cfbc08cae9cf94ed968"
		yarahub_reference_md5 = "b951629aedffbabc180ee80f9725f024"
		yarahub_uuid = "eea31d8d-30cb-4210-a054-aa77ad18fd00"
		yarahub_license = "CC BY 4.0"
		yarahub_rule_matching_tlp = "TLP:WHITE"
		yarahub_rule_sharing_tlp = "TLP:WHITE"
		yarahub_author_twitter = "@SI_FalconTeam"

	strings:
		// Lure specific strings
		$s_headline= "Connect to the cloud" wide
		$s_attachment = "This document contains attachments from the cloud" wide
		$s_receive = "to receive them, double click \"Next\"" wide
		$s_imgFileName = "NOTE4_WHITE_1.bmp" wide
		$s_path = "C:\\Autoruns\\" wide
		$s_output = "output1.js"

		// Javascript keywords
		$js1 = "function" ascii
		$js2 = ".replace(\"" ascii

		// Lure contains 3 PNGs and the Javascript code
		$GUID = {E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC}

	condition:
		uint32be(0x0) == 0xE4525C7B
		and 3 of ($s_*)
		and any of ($js*)
		and #GUID == 4
}  

YARA Rule Matches

The following table shows the most recent files matching this particular YARA rule.