rule Pearl_ransomware_1 {
    meta:
        description = "Detects Pearl ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "70aeb181ead5dcb349b697b83e8dfccdeb2514060cded082cda3f084ae6327da"

    strings:
        $h0 = { E8 E0 53 D3 7F 1B E6 AE EA 12 00 E7 1F 43 }
        $h1 = { EC F7 E2 62 1F C4 A7 C6 }
        $h2 = { 7E 50 E7 0D DE 08 86 BC 7C E1 F0 03 8D 9C 0E BA 6C 83 1E A4 B6 15 0C A }
        $s3 = "PAYMENT" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule Pearl_ransomware_2 {
    meta:
        description = "Detects Pearl ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "4ae452b53937fdb14d53efdcd893d0377596ecc7934b78675a42345fbed3643e"

    strings:
        $h0 = { FF 4D 6B 12 A0 3F D5 C6 04 11 13 4A C3 B6 6E C }
        $s1 = "::::" nocase
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s3 = "README" nocase
        $h4 = { CB CD A6 3B 40 0F 2A C6 41 E8 05 AD 4B 9D 77 EE D8 B }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}