rule MetaEncryptor_ransomware_1 {
    meta:
        description = "Detects MetaEncryptor ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "e38145560263c1e028f1ab4d7bea498e86769277ce709bb39823090a91b210dc"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h1 = { F3 7F CE 4A 14 44 F8 0F 97 BC 7C EE BE 8F 32 A1 54 F7 EA 87 8A 93 F }
        $h2 = { AE E9 30 34 6D 6D 6C 53 5F 7C 66 C9 8D 49 B3 45 }
        $s3 = "YOUR FILES" nocase
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r5 = /[A-Za-z0-9]{56}\.onion/
        $r6 = /[A-Za-z0-9]{56}\.onion/
        $s7 = "Do not modify" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule MetaEncryptor_ransomware_2 {
    meta:
        description = "Detects MetaEncryptor ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "540b27f95dcc2ceb5a4a84b9534cb12371424784e5e344a25aa60e0b48a1a978"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h1 = { BB 07 81 21 5B AB 5D 79 7B 39 90 06 C8 B1 3C 92 50 DD 1 }
        $s2 = "TOX:" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule MetaEncryptor_ransomware_3 {
    meta:
        description = "Detects MetaEncryptor ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f0156a2fd73bfa288cdce515c6ecdf4beab944c6f3ee33b1d58ef21464a3d54f"

    strings:
        $s0 = "ENCRYPTED" nocase
        $h1 = { 06 99 61 EF 43 57 50 D9 34 7A 86 04 FB 3F 64 3 }
        $s2 = "README" nocase
        $r3 = /[A-Za-z0-9]{56}\.onion/
        $r4 = /README\..{3,10}/i
        $s5 = "README" nocase
        $s6 = "MetaEncryptor" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}