rule DoppelPaymer_ransomware_1 {
    meta:
        description = "Detects DoppelPaymer ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "e40880caf6177c9e1b6381f64534b85e732a980f40931fc80f17cfa8811fec28"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s1 = "YOUR FILES" nocase
        $h2 = { 50 20 C1 15 7A 6E D0 DF 29 32 AC 07 F0 9B 18 D5 58 9A FA 49 0D 87 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule DoppelPaymer_ransomware_2 {
    meta:
        description = "Detects DoppelPaymer ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "6af50dd8582fd356d59894a7a29d7d046c1cb631941c181e74636f56eed281a9"

    strings:
        $h0 = { E1 7E 15 26 C7 76 F8 CF 11 A0 D0 FD 68 1C 18 BF 51 2E C4 49 76 2B 59 0 }
        $s1 = "RSA-2048" nocase
        $s2 = ".doppelpaymer" nocase
        $h3 = { D7 3D 3A AF EC 5B D3 1D 3B 8A D7 55 8D }
        $r4 = /[A-Za-z0-9]{56}\.onion/
        $s5 = "RSA-2048" nocase
        $h6 = { 62 A3 AC EF 8B 7E 03 6E A5 8 }
        $s7 = "RECOVER" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule DoppelPaymer_ransomware_3 {
    meta:
        description = "Detects DoppelPaymer ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "5a057a3856f16fe3ea341f8c5e9b6f2f8cd44b702539dac0c088de2e470b79d0"

    strings:
        $h0 = { B7 FF 8B AA FD 59 CD 20 C6 FB 7A 40 DB A1 }
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $h2 = { 0C 1D F2 B7 7E DD 4E 11 4E 77 5A 26 F4 7E }
        $h3 = { 8B 53 85 35 13 93 CB 6E 6 }
        $h4 = { CC BE 2B 6A 2B CE 6A 3F AC 4F 13 C0 B8 }
        $h5 = { 1F 48 37 AA 02 09 A3 9D 1D 6D 7A E }
        $s6 = "Do not rename" nocase
        $h7 = { C5 CE 24 01 9C CC 8B 95 26 FE D4 5C B5 30 58 27 10 64 8A BD A8 74 C0 CD }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}