rule NebulaWare_ransomware_1 {
    meta:
        description = "Detects NebulaWare ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "c48d4cd3a9daa7f5a4bcdc8d376764a71a7428ac20bc781595704ad694c02d51"

    strings:
        $h0 = { 07 E1 28 BC 29 50 B8 F0 78 53 16 }
        $h1 = { C9 86 6A D7 16 C6 E7 0E 9A C6 F1 5B 47 43 4B D1 0D 49 D }
        $h2 = { F8 44 40 87 11 76 03 D0 32 C9 9F 7A 61 28 82 24 0B 9F 2E 08 02 }
        $h3 = { 52 C0 E8 52 A1 0C CB 0D E7 9A 74 A5 EB 60 3E 42 0C 19 9A DE }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule NebulaWare_ransomware_2 {
    meta:
        description = "Detects NebulaWare ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "c5d5cb04cd5846a1d248b9dc5444708036f7c8a92e85979228dc47c526f96b62"

    strings:
        $s0 = "RECOVER" nocase
        $h1 = { 75 18 3D 6E 8A 17 26 43 D0 A4 E }
        $r2 = /README\..{3,10}/i

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule NebulaWare_ransomware_3 {
    meta:
        description = "Detects NebulaWare ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "565a49f3018d01f6268240b23ebf012c35b29a119e5967bd002281d72c5bfcac"

    strings:
        $h0 = { 84 C2 A2 4B 94 2B 53 F5 52 7B 36 9F BE 11 56 19 B0 53 }
        $h1 = { 20 3E F0 99 E1 09 44 BE 23 C1 EF C2 9B 8 }
        $s2 = ".onion" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}