rule ThetaCrew_ransomware_1 {
    meta:
        description = "Detects ThetaCrew ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "6e39b1255ad1a58e6795e046f328289ce53fd8886fe3f0a827d22c66f3772893"

    strings:
        $s0 = "Do not modify" nocase
        $h1 = { AE 23 C6 3B 57 B8 33 61 CA 75 D }
        $h2 = { E5 8A 82 23 E1 C0 E4 EB A5 E6 C3 }
        $h3 = { 3A 9F 26 E2 95 9C D5 21 9F C4 AD B6 49 C0 0B 47 31 D }
        $h4 = { 43 D9 40 BD AA 8F 0E D1 F9 90 }
        $r5 = /README\..{3,10}/i

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule ThetaCrew_ransomware_2 {
    meta:
        description = "Detects ThetaCrew ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "75780be4ad12faa2f02d39635332b71140273c9645ffdf9a3208b88f553f2709"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule ThetaCrew_ransomware_3 {
    meta:
        description = "Detects ThetaCrew ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "19cf6e7ca937d4a699622a60c667978a34e7195f30b239ef5dd60981dec57e13"

    strings:
        $h0 = { 9F 6F CE B7 D6 03 C7 5D 47 FD 40 12 }
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $h2 = { ED F4 0D FA 53 6C BF 35 48 7A 30 FA 2D F4 3A ED 52 7D 4F }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}