YARAhub

You are currently viewing the YARAhub entry of the YARA rule MALWARE_Emotet_OneNote_Delivery_wsf_Mar23. Depending on the TLP classification of this YARA rule chosen by the author, further information about this YARA rule is available below.

YARA Rule Details: MALWARE_Emotet_OneNote_Delivery_wsf_Mar23

YARA Rule Content Copy Download

The content of the YARA rule is shown below.

rule MALWARE_Emotet_OneNote_Delivery_wsf_Mar23
{
	meta:
		author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
		description = "Detects Microsoft OneNote files used to deliver Emotet (.wsf Payload)"
		reference = "https://www.secuinfra.com/en/news/the-whale-surfaces-again-emotet-epoch4-spam-botnet-returns/"
		date = "2023-03-16"
		tlp = "CLEAR"
		hash0 = "dd9fcdcaf5c26fc27863c86aa65948924f23ab9faa261562cbc9d65ac80d33d4"
		hash1 = "ca2234b9c6f7c453b91a1ca10fc7b05487f94850be7ac5ea42986347d93772d8"
		hash2 = "b75681c1f99c4caf541478cc417ee9e8fba48f9b902c45d8bda0158a61ba1a2f"
		hash3 = "7c4591fd03b73ba6d0ec71a3cf89a04bfb4bd240d359117d96834a83727bdcc2"
		yarahub_reference_md5 = "f2fb54c7c909191ae10e34e50766a118"
		yarahub_uuid = "9e69e45b-f0b0-423f-ad66-9900851e662f"
		yarahub_license = "CC BY 4.0"
		yarahub_rule_matching_tlp = "TLP:WHITE"
		yarahub_rule_sharing_tlp = "TLP:WHITE"
		yarahub_author_twitter = "@SI_FalconTeam"

	strings:

		$s_protected = "This document is protected" wide
		$s_click = "You have to double-click \"View\" button to open" wide
		$s_imgFileName = "Untitled picture.jpg" wide

		$script = "language=\"VBScript\""
		$wsfExt = ".wsf" ascii wide

		$GUIDwsf = {E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 3C 6A 6F 62 20 69 64 3D 22}
		$endTmp = /rad.{5}\.tmp/ 

	condition:
		uint32be(0x0) == 0xE4525C7B
		and any of ($s_*)
		and $script
		and $wsfExt
		and $GUIDwsf
		and $endTmp
}  

YARA Rule Matches

The following table shows the most recent files matching this particular YARA rule.