rule ZenithBlack_ransomware_1 {
    meta:
        description = "Detects ZenithBlack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "587be3243b11ac67bb498a9b51a77f0948807a11efbef6e821edf69fc3a0ba69"

    strings:
        $h0 = { 17 81 BF 44 94 92 63 4A }
        $h1 = { 69 92 5C F9 B8 E5 D0 C6 15 93 9D A7 80 29 FF FE 24 C3 68 A4 0 }
        $s2 = "PAYMENT" nocase
        $s3 = "TOX:" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule ZenithBlack_ransomware_2 {
    meta:
        description = "Detects ZenithBlack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "eb55a2f76478870dabf206b99c43241acd44306fad5713be1be289a47109c7a7"

    strings:
        $h0 = { 2B 4D E9 7A 20 27 E8 64 EF 8A BC 8C 0C 76 DF D3 72 C5 54 F7 4C E3 5 }
        $h1 = { 4D 23 FE C1 AD 90 DC EE 1C 5 }
        $h2 = { C3 88 BC 4C FB 01 19 10 0C D }
        $r3 = /[A-Za-z0-9]{56}\.onion/
        $r4 = /README\..{3,10}/i
        $h5 = { D5 D8 77 8E 50 19 D8 8F EE E9 0B 97 06 38 A6 B2 E3 11 1 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule ZenithBlack_ransomware_3 {
    meta:
        description = "Detects ZenithBlack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "7bad5d158843c5b212c66b6853e5fb70b8aac552bd72a72350217a3c0162b550"

    strings:
        $h0 = { 98 49 6F E5 18 F3 EF A7 05 4C C4 DB 21 69 57 }
        $h1 = { 07 6F F3 1A 92 83 65 E8 2B 1B 68 D4 AE 7F 64 36 A1 }
        $r2 = /README\..{3,10}/i
        $r3 = /README\..{3,10}/i

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}