rule Agenda_Qilin_(Rust)_ransomware_1 {
    meta:
        description = "Detects Agenda/Qilin (Rust) ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "aee441e242d9712e77cd72ac8791b6c3bfc04c46832861116bb8ffde41127eff"

    strings:
        $r0 = /README\..{3,10}/i
        $h1 = { 4A FB EC 7C 9D 18 0F 85 C2 10 BE DE D3 FD 3A 7D 36 A4 77 D3 2A 36 1F 9 }
        $s2 = "AES-256" nocase
        $h3 = { 20 C6 2D AA D1 81 94 88 CA F9 1A }
        $s4 = ".agenda_qilin_(rust)" nocase
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}