rule Stingray_ransomware_1 {
    meta:
        description = "Detects Stingray ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "461ccf76124cabc4852db1f1dcb078e5ed5fc252c64be16404f56845fb6b0384"

    strings:
        $h0 = { F8 C2 84 E1 FE 86 35 57 6E 6D BC D2 17 F5 04 B8 5E CF C2 26 FE ED }
        $h1 = { 96 49 AF DA 2D 2A DE 65 D9 D5 02 9D 5F D6 4A }
        $h2 = { 2F 19 64 1B 9A 33 AC 48 39 E2 70 38 82 72 89 C }
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}