rule CitadelRage_ransomware_1 {
    meta:
        description = "Detects CitadelRage ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "dcf4d55dcaa12642edf2c49edd9a7a811dbdd5eedb2360abf4921cb86c0d34d4"

    strings:
        $s0 = "DECRYPT" nocase
        $h1 = { 29 32 9A A4 0D 4E 54 8D F4 62 AC BD 24 47 04 9B AA BD 0E BD B7 D }
        $h2 = { E7 C5 1F A8 AD BD D4 B9 76 BE B7 71 2 }
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h4 = { B3 AA 98 AB 30 1D 14 EF 7F 91 08 76 26 E2 97 1D A5 90 7A 22 29 93 }
        $h5 = { 39 5B FD A4 D4 36 03 00 C1 7E BD CE BC EB 2 }
        $h6 = { 2B CF 31 4A 26 59 27 93 9A 62 0B 54 6B B2 96 1 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}