rule Cheerscrypt_ransomware_1 {
    meta:
        description = "Detects Cheerscrypt ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "0665de74616f7e7c11a42bb0ae51574b6ba759fe38d388a37b36d696f87bb5b7"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s1 = "TOX:" nocase
        $h2 = { F3 95 28 60 04 50 F4 6C 4D F7 87 C6 8F }
        $h3 = { E6 79 C4 F4 33 F3 FD 18 97 F8 4E D6 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}