rule BlackCat_Sphynx_ransomware_1 {
    meta:
        description = "Detects BlackCat Sphynx ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "96e4a0d001331bdd70972aa3705190f50801f34e8537dbd6ec33e7f7514ec9ef"

    strings:
        $h0 = { B6 47 18 D3 B9 78 B4 FB 13 78 9A }
        $s1 = "TOX:" nocase
        $h2 = { 47 2F F9 8D E7 4D E4 CF 00 CF 29 FF 60 91 34 64 0C D6 A5 B3 8A 80 }
        $r3 = /README\..{3,10}/i
        $h4 = { 62 63 CD 49 64 E4 E4 DA 81 DF 92 E8 89 9 }
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s6 = "BITCOIN" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}