rule ThreeAM_ransomware_1 {
    meta:
        description = "Detects ThreeAM ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "c99a858933e81760d9fe14bff6101423b0865cdeb70ecb1ab038323a2cd98565"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h1 = { FC 19 4B 12 11 3C 76 99 EA A3 A9 3D 3D 10 10 56 9 }
        $s2 = "BITCOIN" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule ThreeAM_ransomware_2 {
    meta:
        description = "Detects ThreeAM ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f90da3670a7b8fc30a575ffd0838f8c03b3b504a5b208371cb3514874574cfc6"

    strings:
        $s0 = ".threeam" nocase
        $h1 = { 9C 52 FF 92 57 7D D5 85 70 74 68 DD 21 A8 FF 9A 80 5E 44 6C }
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s4 = "DECRYPT" nocase
        $h5 = { E2 F0 79 FF 2F EA 33 81 }
        $r6 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule ThreeAM_ransomware_3 {
    meta:
        description = "Detects ThreeAM ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "79922531aea3da719745a4c43bfdaeb89cc82f13e1c2f7081cf5e8c5f51ee7d6"

    strings:
        $h0 = { 40 C0 79 A1 5D CA 63 58 FE 51 8C 4F A4 91 A6 F4 8F 5D 12 65 86 FC 12 }
        $s1 = "!!!" nocase
        $h2 = { 65 5E 7A F4 96 28 37 17 7D BC 19 C9 99 26 C2 D4 1E 5F A2 AA 65 99 72 24 }
        $s3 = "TOX:" nocase
        $s4 = "PAYMENT" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}