rule Mallox_v2_ransomware_1 {
    meta:
        description = "Detects Mallox v2 ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "ac65a4392b472684fe9308e23284820061cfb3b34c5faf8ca4996a923134eef1"

    strings:
        $h0 = { 14 06 DB 28 1C BC 6F B4 91 4B E3 BD 0D 99 17 38 90 6E 20 73 8E 6D 3B }
        $r1 = /README\..{3,10}/i
        $h2 = { EE E5 04 96 2E EB D1 E6 80 DD FA C7 2B 4 }
        $r3 = /README\..{3,10}/i
        $s4 = "Do not modify" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Mallox_v2_ransomware_2 {
    meta:
        description = "Detects Mallox v2 ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "62ff582aa679b0e3062e3cc0a5ba08a61f55f6c23e0d0cfd6138772bbb690b43"

    strings:
        $s0 = "RSA-2048" nocase
        $h1 = { 3D 24 8A 13 3E 81 45 8E 64 3C B4 AB 16 B7 1B 3C FB }
        $s2 = "Do not modify" nocase
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s4 = "DECRYPT" nocase
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r6 = /[A-Za-z0-9]{56}\.onion/
        $h7 = { AA 58 D6 1E 4E F4 F7 71 EF 5F }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}