rule STORMOUS_ransomware_1 {
    meta:
        description = "Detects STORMOUS ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "ab3dcc3adf5b49ee7dd2cc6e82f88c925769c83b517215f853f037831d00c04e"

    strings:
        $s0 = ".onion" nocase
        $r1 = /README\..{3,10}/i
        $h2 = { 7C D7 72 73 22 53 E7 46 AD 47 }
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h4 = { E7 57 DD AA 5E F3 43 E5 88 61 0B 4C 1A 7F 27 5C 6E AD B6 D1 52 85 0C E }
        $h5 = { CA 79 37 31 24 64 F5 81 67 93 F }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}