rule HectorSquad_ransomware_1 {
    meta:
        description = "Detects HectorSquad ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "a1ad487d62375fb60e8bd49dae8e3e6205fb4cc522215283b3c084d90a78a739"

    strings:
        $h0 = { AA EC 80 6B A8 2E 27 4E 47 72 BA B5 }
        $s1 = "Do not rename" nocase
        $h2 = { 39 0A 78 0C 8C 40 4D AD B9 EE B3 D3 }
        $s3 = "::::" nocase
        $h4 = { 9D F6 4C 37 46 F9 DB 65 }
        $s5 = "ENCRYPTED" nocase
        $s6 = "PAYMENT" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}