rule Granite_ransomware_1 {
    meta:
        description = "Detects Granite ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "eb51bf6db605de0f9c2fba0f7e651d526c7f0debe937775f57041b2a00e8c577"

    strings:
        $h0 = { B4 65 7F 18 93 B4 AF AF 43 01 87 1 }
        $h1 = { 8D 26 87 A9 FA 11 B7 67 C6 52 46 DF B0 EE 1A 9D F }
        $h2 = { B3 09 B3 D0 3D 9A 1B 0B F5 45 E4 9B 54 B4 D3 05 42 28 CE 2C }
        $s3 = "TOX:" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}