rule Trinity_ransomware_1 {
    meta:
        description = "Detects Trinity ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "a86ea46bdcb1d690281672e3de72297d2d58264d09708a8c7725b67743fd4fd4"

    strings:
        $h0 = { A4 9D DE A7 F3 46 19 2E 90 DE 77 04 92 09 6F }
        $s1 = "YOUR FILES" nocase
        $s2 = "BITCOIN" nocase
        $s3 = "DECRYPT" nocase
        $h4 = { 74 29 16 CE 64 89 7A 2B 5A 87 C6 C1 37 41 5E 32 B8 AB 5D 2B F }
        $s5 = "Do not modify" nocase
        $h6 = { 1C 2E 3D 9A 0F E7 F2 AE 3C A3 94 87 56 D9 A3 BC C2 23 F9 F }
        $s7 = "PAYMENT" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule Trinity_ransomware_2 {
    meta:
        description = "Detects Trinity ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "a41d8eee07c4b325c981d3fd49aaa4b1f97ab1f2a1bfaff13186f662dafa30f0"

    strings:
        $h0 = { 44 85 4F D6 80 1C 12 74 }
        $h1 = { FE A4 54 BE EF AD 6E 4E 7E D8 72 18 5E 96 CA FF 8F A3 81 2D 7C 28 92 89 }
        $h2 = { 0E 76 BF C9 D0 ED A7 1B 2A A }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule Trinity_ransomware_3 {
    meta:
        description = "Detects Trinity ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f1a38a63d5ee417d9ad3213a8a633ea859d5ed4555d6435eb492a7f0071903d0"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $h1 = { 72 1D 20 E2 44 ED 2F EA 32 C8 18 81 B }
        $s2 = "Do not modify" nocase
        $s3 = "Do not modify" nocase
        $s4 = "::::" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}