rule AeacusUnit_ransomware_1 {
    meta:
        description = "Detects AeacusUnit ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "c374b45409898b9960f3433cccc524cbe95ed839ec776c95d310c058fb54b449"

    strings:
        $s0 = "DECRYPT" nocase
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $s2 = "AES-256" nocase
        $h3 = { 75 74 0E 87 52 B9 DF F0 1D C8 }
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s5 = "TOX:" nocase
        $h6 = { CF C3 83 30 2F 48 81 F9 15 07 30 7C B4 63 7F A2 A2 03 E1 98 92 BF }
        $s7 = "ChaCha20" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}