rule APT73_Eraleig_ransomware_1 {
    meta:
        description = "Detects APT73/Eraleig ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "a201ed0c43a856b0844a4a35b8b6cbf90290edabd9abfcca91c74d39fc024131"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $r1 = /README\..{3,10}/i
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s4 = "RECOVER" nocase
        $h5 = { 4E 37 5A EC 84 78 54 61 C2 F7 42 16 21 15 85 4D C7 28 B8 }
        $s6 = "!!!" nocase
        $h7 = { 28 60 4E 8D 40 F9 90 16 F9 C4 ED B8 F9 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule APT73_Eraleig_ransomware_2 {
    meta:
        description = "Detects APT73/Eraleig ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "c711a68e6eaad066465a976a9340ae70c960303c4352fe661dce3f57f25266e4"

    strings:
        $h0 = { D7 37 B7 3E FC EB 64 2E 2C C9 A1 37 F0 C6 BB 2A DE C5 FB 44 C }
        $h1 = { D7 12 9D 6A D4 85 CD 6B 98 E2 61 DE D5 A7 91 87 6 }
        $r2 = /README\..{3,10}/i
        $h3 = { 75 40 26 87 95 73 F6 50 A6 5D D8 83 E9 8D CF D8 07 53 4C C5 A5 }
        $r4 = /README\..{3,10}/i
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r6 = /[A-Za-z0-9]{56}\.onion/
        $h7 = { 5D 1D 75 C3 D1 AE C6 72 3A 65 B8 F9 33 28 7D B7 7A A6 0 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}