rule Umbra_ransomware_1 {
    meta:
        description = "Detects Umbra ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "b921d4ce19e4ca9f53c13064432af9c0f1d712dfb90d43afe074dcf0b7f2c1de"

    strings:
        $h0 = { 71 90 5D 5B 58 23 6B C2 B5 BF C3 FB 00 A7 14 E3 E7 18 }
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $h2 = { F3 F1 D2 11 15 7B 46 DE 17 CA E8 B }
        $s3 = "::::" nocase
        $s4 = "Do not modify" nocase
        $h5 = { 0A C4 D4 1D F1 BB DC 26 D1 F0 48 DE C2 B8 F3 }
        $h6 = { CB BE 15 F2 F5 03 DA 0F E2 2E 9B 0 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}