rule SplinterHack_ransomware_1 {
    meta:
        description = "Detects SplinterHack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "b5ec0ff70d0130b159368c06f0301de784b30f0ac863df4ca957d208ff42c344"

    strings:
        $h0 = { 06 5C 70 11 F4 A1 B3 30 EB 5B CF F4 DE 2A 8 }
        $h1 = { 77 DF B2 9F 39 32 55 21 DF 63 8A C2 B2 B5 72 62 4B 24 }
        $h2 = { 6E 84 63 6C 6F 5B 96 18 86 26 69 65 90 3C FE 5 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}