rule TwilightRed_ransomware_1 {
    meta:
        description = "Detects TwilightRed ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "baff5cc7068a8c23c33a15f8063ff7cb1a8dead9ed7d79d155c40617486836d7"

    strings:
        $r0 = /README\..{3,10}/i
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h2 = { C5 29 BE 34 15 1D 71 F7 F1 99 3F A6 D4 F5 2 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule TwilightRed_ransomware_2 {
    meta:
        description = "Detects TwilightRed ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "99f27e82098a58c6a2c529335e0d1c6c2f50026b72b2974329db13bddcf6b83a"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $h2 = { 93 BD CA AA A4 A7 BA 30 2 }
        $h3 = { B3 B4 44 AD 32 A8 12 ED C4 D0 F1 92 C }
        $h4 = { C6 BC 80 CC E3 07 DF 16 5C AC 8C 82 22 F4 85 A7 2C E }
        $r5 = /README\..{3,10}/i
        $s6 = "RECOVER" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}