SYMBOLCOMMON_NAMEaka. SYNONYMS
win.emmenhtal (Back to overview)

Emmenhtal

aka: IDATDropper, PEAKLIGHT

Orange Cyberdefense assesses that this loader is highly likely used by multiple financially motivated threat actors since at least February 2024 to deploy commodity RATs and infostealers.

References
2024-12-05Orange CyberdefenseAlexandre Matousek, Marine PICHON
Edam Dropper
Edam Emmenhtal
2024-11-28StrikeReadyStrikeReady Labs
RU APT targeting Energy Infrastructure (Unknown unknowns, part 3)
Edam Emmenhtal
2024-09-20McAfeeAayush Tyagi, Yashvi Shah
Behind the CAPTCHA: A Clever Gateway of Malware
Emmenhtal Lumma Stealer
2024-08-22MandiantAaron Lee, Praveeth DSouza
PEAKLIGHT: Decoding the Stealthy Memory-Only Malware
CryptBot Emmenhtal HijackLoader Lumma Stealer
2024-08-14Orange CyberdefenseAlexandre Matousek, Marine PICHON, Simon Vernin
Emmenhtal: a little-known loader distributing commodity infostealers worldwide
Emmenhtal
2024-06-24KrollDave Truman
Novel Technique Combination Used In IDATLOADER Distribution
Emmenhtal HijackLoader
Yara Rules
[TLP:WHITE] win_Emmenhtal_w0 (20240814 | No description)
rule win_Emmenhtal_w0 {
    meta: 
        author = "cert-orangecyberdefense"
        source = "https://raw.githubusercontent.com/cert-orangecyberdefense/emmenhtal/main/yara%20Emmenhtal"
        date = "2024-08-14"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.emmenhtal"
        malpedia_rule_date = "20240814"
        malpedia_hash = ""
        malpedia_version = "20240814"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = " = String.fromCharCode("
        $s2 = ";var "
        $s3 = "eval("
        $s4 = "</script>"
        $s5 = "<HTA:APPLICATION CAPTION = \"no\" WINDOWSTATE = \"minimize\" SHOWINTASKBAR = \"no\" >"
    condition:
        all of them
}
Download all Yara Rules