rule MonsoonUnit_ransomware_1 {
    meta:
        description = "Detects MonsoonUnit ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "3a9a4f96d2d8492464afeb9f667917538c9aa72499427dba40db6b75c4ec42e5"

    strings:
        $s0 = "!!!" nocase
        $h1 = { 4D 6C C4 1B BA 08 E2 E2 B4 FD 83 9E F8 0E D9 E5 94 F6 72 F1 C1 53 B }
        $h2 = { 06 D0 E8 DD 46 F4 88 50 7E 04 A0 52 D0 34 78 35 CC E7 40 72 E9 EE B }
        $h3 = { B0 BA EB 01 A0 DC 92 DC 45 C7 2E 7 }
        $h4 = { E1 8E B6 6E 9A 6E 75 A3 5E DB 7F 3F 89 27 0A 9D 46 06 1 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}