rule CollapseGroup_ransomware_1 {
    meta:
        description = "Detects CollapseGroup ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "b384c3dd0753cfb0945ddbf535baec91a635ffeffd5391004c99041f859cd4a0"

    strings:
        $s0 = "TOX:" nocase
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $s2 = ".onion" nocase
        $h3 = { AC 44 E1 6E 4E 16 84 A2 E4 5B 75 62 0B EC F1 5E 2C 06 A }
        $s4 = "Do not modify" nocase
        $h5 = { 47 87 B2 4F C8 B1 A9 62 7A 1F 5 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule CollapseGroup_ransomware_2 {
    meta:
        description = "Detects CollapseGroup ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "2571e6342bbe870cca11b602cf6217a9f6d638ad05012fc842334e6df58e6102"

    strings:
        $s0 = ".collapsegroup" nocase
        $r1 = /README\..{3,10}/i
        $s2 = ".collapsegroup" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule CollapseGroup_ransomware_3 {
    meta:
        description = "Detects CollapseGroup ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "163316b0fd78474929ff93535075e52ac5bfd1d71a28731502aa0db3e0d96a29"

    strings:
        $r0 = /README\..{3,10}/i
        $s1 = ".collapsegroup" nocase
        $h2 = { 2C 96 37 91 88 0C F2 CD A0 41 8A 5A 4B 30 B4 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}