rule Zeus_ransomware_1 {
    meta:
        description = "Detects Zeus ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "bb8f2976bf8679580703f024b0c1895a0044f4a8faaec8653b721b93481bf71b"

    strings:
        $h0 = { 44 83 7C 8D 7C 2C B8 8A 1A 0D 0D 7A 38 B3 75 }
        $h1 = { AA F1 7E 54 80 89 0B 4C CF 57 4D 10 56 47 }
        $h2 = { 6A AD C2 5E E9 48 E0 BF 25 2D 72 BE 4D ED 79 D1 9D 04 F3 3C 57 4C B8 49 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule Zeus_ransomware_2 {
    meta:
        description = "Detects Zeus ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "fd962a51fedfcf7595182682f359faddcb040aa18b5143d0d7149b91f2fd2e15"

    strings:
        $h0 = { 2C 02 C6 EF 80 A4 2C 52 8C A3 F7 DA FC 13 }
        $h1 = { F5 3A D8 0B 86 8F 3F 70 70 8D D6 7A 7C 44 77 52 3A 94 41 F2 EF 96 7E 0A }
        $r2 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}