rule HellfireBlack_ransomware_1 {
    meta:
        description = "Detects HellfireBlack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "c4ea1e65824434962ba7d2094979329147565b70a2608401db6e97a61bcd7790"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s1 = "!!!" nocase
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h3 = { 49 FE 41 80 DE 8C CD A1 CB 77 56 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule HellfireBlack_ransomware_2 {
    meta:
        description = "Detects HellfireBlack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "7f0beb9b4ab706cbadf0f595ab4bc75d423cc17e84708c127c8a561d321205e6"

    strings:
        $h0 = { EC 39 44 0E 9C 3F AB 83 0D D1 C7 20 27 C9 20 35 50 14 1C 7 }
        $s1 = "PAYMENT" nocase
        $s2 = "Do not modify" nocase
        $h3 = { 08 79 90 95 60 73 A2 5B A1 7A 2F 68 AF 30 54 28 83 83 32 E9 C2 6 }
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}