rule MegaCortex_ransomware_1 {
    meta:
        description = "Detects MegaCortex ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "8023f14969a20df7ca2c25e8a38a10751c9f696626ffe7e46326419a73a38347"

    strings:
        $r0 = /README\..{3,10}/i
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h2 = { D6 D3 51 B3 90 24 11 44 64 DE }
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s4 = "MegaCortex" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule MegaCortex_ransomware_2 {
    meta:
        description = "Detects MegaCortex ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "a57230ba3345a98db12df1b29f34ae4ae5b7481bfe06bc45dfb6cd5156cc44f0"

    strings:
        $h0 = { 5C 34 EF B4 B6 B6 DB C3 6F 4C 76 9C 03 9D B8 05 AA 32 23 11 15 FC 4 }
        $s1 = "ChaCha20" nocase
        $s2 = "!!!" nocase
        $r3 = /README\..{3,10}/i
        $h4 = { 0C C9 32 FD D5 79 C2 2F 1B D8 2F 1B 75 F6 EE 3 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}