rule Underground_ransomware_1 {
    meta:
        description = "Detects Underground ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "212f1dcbccacd0cb1a308c23e9b9c5aaafb5948513ed33e73a414d8a4c6773d4"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $s1 = "TOX:" nocase
        $h2 = { C8 44 E0 FF 97 9E D9 16 CD 1 }
        $h3 = { 99 22 8E E3 74 FA 1E 41 86 8F D7 F5 26 F6 }
        $r4 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}