rule Leviathan_ransomware_1 {
    meta:
        description = "Detects Leviathan ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "97ec7d00236089ded65881fc2dfa2cddd26965878eb219628a7530476eaa48f5"

    strings:
        $h0 = { 37 9C 5B 8A 91 AE 37 CA 0D 9E 8A 64 9E F8 8F 5 }
        $s1 = ".leviathan" nocase
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $r3 = /README\..{3,10}/i
        $h4 = { 6A 1E B0 96 53 96 1D FA 5D AC B8 5A 52 B2 1A A8 D0 E5 }
        $h5 = { 1C 41 9C 41 A5 DB C3 3B CD A7 AF 31 A4 05 70 56 05 C2 00 A4 81 92 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}