rule Phobos_ransomware_1 {
    meta:
        description = "Detects Phobos ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "33995b178079f93269a02a4940f454ee9c10f7a940468dd211fbd16e1806c791"

    strings:
        $s0 = "AES-256" nocase
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h2 = { 9D 24 02 F7 A7 5B 79 CD 6 }
        $h3 = { DC 30 BD 5C 08 5C 21 12 A0 79 55 E8 A8 }
        $r4 = /README\..{3,10}/i
        $h5 = { 4C BE EE 98 EC D2 1E DC BD 93 2F AE DE 3F CB }
        $r6 = /[A-Za-z0-9]{56}\.onion/
        $h7 = { 7C F8 7C 08 AE 00 7B 7F FE }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}