rule PerseusCrew_ransomware_1 {
    meta:
        description = "Detects PerseusCrew ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "e85a55b5ebe92570de3495367a702c80822c4cbd6a22f194badee2ba2afdc8fb"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h1 = { DA F6 D2 B7 47 E1 B9 A2 33 D1 54 7E 0A FE 46 7A A6 7D B5 9C 16 69 3C }
        $h2 = { 11 27 4A 5E 23 98 9B A0 08 83 68 73 C5 01 DA 37 14 E9 }
        $s3 = "Do not rename" nocase
        $h4 = { 9C 26 D2 A7 E0 6A A0 ED D5 AF 64 D6 03 B }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule PerseusCrew_ransomware_2 {
    meta:
        description = "Detects PerseusCrew ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "2d93104efb2472256b96e84ac1da22f87eb8027cd9e4547185d6181143c4a06b"

    strings:
        $s0 = "PAYMENT" nocase
        $h1 = { 45 55 22 88 55 12 D4 71 60 FA 22 BA 41 2 }
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h4 = { 41 C7 A4 0B 73 4C 40 31 A5 EB 2F 4F 0A D0 16 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}