egregor | f1d57ed2b3e2deff7a13ddb4682a81d2543bc5bdca1ec934833a38b8e9f18077

General

Target

t5.zip
Size

379KB
Sample

201104-mycxjhnhbs
MD5

129e964f937c0200368060318f47183c
SHA1

cf4a85ba18f664d942c0b80e63ac8011b31696fa
SHA256

f1d57ed2b3e2deff7a13ddb4682a81d2543bc5bdca1ec934833a38b8e9f18077
SHA512

ef5dc76580d39d2c51926d6023fed20368700e947293454e122996d3d9164d2d4d466e116dc18ab4f78113620d85d97ee2bc5cc027bb696db90380b07d2dc738

Score

10^/10

Malware Config

Extracted

Path

C:\RECOVER-FILES.txt

Ransom Note

------------------ | What happened? | ------------------ Your network was ATTACKED, your computers and servers were LOCKED, Your private data was DOWNLOADED. ---------------------- | What does it mean? | ---------------------- It means that soon mass media, your partners and clients WILL KNOW about your PROBLEM. -------------------------- | How it can be avoided? | -------------------------- In order to avoid this issue, you are to COME IN TOUCH WITH US no later than within 3 DAYS and conclude the data recovery and breach fixing AGREEMENT. ------------------------------------------- | What if I do not contact you in 3 days? | ------------------------------------------- If you do not contact us in the next 3 DAYS we will begin DATA publication. ----------------------------- | I can handle it by myself | ----------------------------- It is your RIGHT, but in this case all your data will be published for public USAGE. ------------------------------- | I do not fear your threats! | ------------------------------- That is not the threat, but the algorithm of our actions. If you have hundreds of millions of UNWANTED dollars, there is nothing to FEAR for you. That is the EXACT AMOUNT of money you will spend for recovery and payouts because of PUBLICATION. -------------------------- | You have convinced me! | -------------------------- Then you need to CONTACT US, there is few ways to DO that. I. Recommended (the most secure method) a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR browser c) Open our website with LIVE CHAT in the TOR browser: http://egregor4u5ipdzhv.onion/2A8DF942B436BE75 d) Follow the instructions on this page. II. If the first method is not suitable for you a) Open our website with LIVE CHAT: https://egregor.top/2A8DF942B436BE75 b) Follow the instructions on this page. Our LIVE SUPPORT is ready to ASSIST YOU on this website. ---------------------------------------- | What will I get in case of agreement | ---------------------------------------- You WILL GET full DECRYPTION of your machines in the network, FULL FILE LISTING of downloaded data, confirmation of downloaded data DELETION from our servers, RECOMMENDATIONS for securing your network perimeter. And the FULL CONFIDENTIALITY ABOUT INCIDENT. ---------------------------------------------------------------------------------- Do not redact this special technical block, we need this to authorize you. ---EGREGOR--- ImUmG+NryUv0wnauPV5t7V66CoWeykgo5jwYQcSBvPmZR/vkOTrQkvAkwJCg84p49Ehy8ockgfvgSYJEwH3lUQieRb9UVfuTbBJAQHBUhKDakAAJrAYUfneO/2FwH0bcufvAvebtuuU6cLZeBqUKsU6TlLEaNY3sYIhgv2ift4/eV3Th/iKhS8IhyQ9qfDod5Z81n/50q7xiGylwbvwfT+2IWvAApXJSRnlWn9f5Sv4mZ8aVE1cO0Cer2u0ViZ1Hnso3dV66Oa8LnX0gtRanTs70CW/LCeub+QYob1zh2anxDpYRcJ3u9yHVVJJxK2Viqu60BSiX+KoD8JFM4VL9kAlbi3i6I4MLp0IMQVbDDpviPXpH4ceFOZ3ufWELKugYnKgjV8PDUoJu0EDVUWjRqg5Po4mAy7LWXg7TT9Xrk9dMBswP3v8dDg8/EemJyMTW29VeCuepPrA7BejkZpRsw7/kM94x3XWOTDO/LNICbGUxC1ZKnv60hJL5jONzHPMuPmVo+dh2CxDJ5cr/xjjXqeFYAxBQay1NGf6GNfj6pSUQJ5AkCqYqCAHSXdKC2qbn8l14e4UsDup5CVA4Y8nkKcdvmm00QXutIT0lRYgNOR0NyvdfLA/AVPiT9HJ1OeynpEbZ72Ql/eZNE02XLEZogwtxgteSkD5gL/an9fCfTWwWajThgA1V2q+1+POYIBpsLLy9oySbAZJaKXF0MxCfe91vVnRUp3fFiOQbIseZtcW5n0J1BwvMAm2ec/zzspEAzUApOTLAfOUCGPueGbnc3afJSwVMyNu9xGKIvwpNxWHiGzpaEiUa95nlrMwRFB8Tm1oWHfOSxJpK375PTu9I1gbqiOrQ2lFH0PrlQdHFYvGdJ3IXuVmOK7hzLKiIpk6uECa41kyiq/WCL3zE7hfY9pPNL3tX58bf+HyXoXHMJpkbXfsELE+Tvk+Wtbe3vYusEx4Ls7y1SdsKOEd+VLTA8MUVRo4ErQ4R+cnrQZQwHIOinqFT9WIP9UNcKmbZK8S/VAPR/X0GXIYAlL9itXlA9acjf6OWXIgLeFrWquCVEgfpPmx7sur5thMA1OvyV0JP66lFTCRrzR62MYm5MipRZwfl9FiutmIl4HSRRngMSddennuOJiF4IuMbryIt4Ox1t+Dic7SIP2isXvE5ng0w5VicOuscHhfISL5Dgi7Ra/qNicAnGaG2TLaqNKZVhg8W5CAceNdevjvuTJXdcBoynhXsjNjfiAw083NGX1EvqhSg7mT2vHoUF/Emrg23EJvXJmBL5KdHsiYiS+h+lSztlyH2KY1Dz6KZfFxt59OeZ1GNRBiO/O1AGZNnesP2Wez70b7Eu7y3e+8U1OB8lL5Yc9Q1JYp9CBDttOuMqLF37H1rpkIM23zXPA7AkPsVNDcAsroPAIyney1NpPiqZGd4JZPrhJu0l5dTakTHYl2lLaoGYHqdIlQLMjTkNzSS7hWvWtdepYSPOVn/eOJ90q/2T9SB/oSi6QWzOSPei0vldD6Ii08a0KuuIxITl1q6dOuaqOlw5NrRB2yqZGDew4Z1kLaUwXlWN72bQBJohR3BtSwmNcburipcExwfUuIr0KIaWSeK3IMJgscQtqgqKdIPTNyozEyOdZXCQPuuAa+iARI9pSuEonVi/lmsejWKKO5OBWTKeQ31AiOd30bSCHaqyjeJJ/YbxG5TigWgJ/AQzVUoQuco/5PjyGCMxHeJGLQ/y4yNqkrBmCrwk2jx5MddMdAjcfTPKaDMycvSBie76VbJrnW5I8IajbcmRW6diBm1xDr20Ftluc5SDPq8WvivlE/G9iOn8ulAI5I39W69YCKDxciFG8VITfaCr/8eojIctNvDpNs6qOQsLF3jPDPWwz/E1LTq84ENt1+qFdQVnznpRDaZUXvAkDkNB4WYgedVVpLFlXeuQgnQg+3FBSnWcyycLZmmnNrR6I6A8iJuEHnCv/o4YWiLtMUP+/pCt5G6owdu1PJKbpxyN0K0In5pziJJMRmbGALOMROp9jhRLT+UP1yMHYdx2ChL33DcIKQdLYbsauSPeEG9cnIxBQjPSfwUOMtPHf5qZUZiGmN/dUL5eGzuUJIdfCgoWMw4qq+izi6ejri0A2TpMUfphKLHK0ExzZU41j/+7S3DQuGlNdQnqb//yNBIyTCMYD424EfH+qN+bLC8pDEABMsfM+cPTYJaxg/S4VD+m4kzzJEi+pao9mFvwKhRYlxQIAzzgPrDpKZQCQgKEAEYASCAAigAOhJFAEkARABRAEgAUgBSAEwAAABCIjIAQQA4AEQARgA5ADQAMgBCADQAMwA2AEIARQA3ADUAAABKOHwAQwA6AEYAXwAyADQANAAwADUANwAvADIANgAxADgANAAxAHwARAA6AEMAXwAwAC8AMAB8AAAAUgxBAGQAbQBpAG4AAABoAHIuVwBpAG4AZABvAHcAcwAgADcAIABQAHIAbwBmAGUAcwBzAGkAbwBuAGEAbAAAAHoUVwBPAFIASwBHAFIATwBVAFAAAAA= ---EGREGOR---

URLs

http://egregor4u5ipdzhv.onion/2A8DF942B436BE75

https://egregor.top/2A8DF942B436BE75

Extracted

Path

C:\RECOVER-FILES.txt

Ransom Note

------------------ | What happened? | ------------------ Your network was ATTACKED, your computers and servers were LOCKED, Your private data was DOWNLOADED. ---------------------- | What does it mean? | ---------------------- It means that soon mass media, your partners and clients WILL KNOW about your PROBLEM. -------------------------- | How it can be avoided? | -------------------------- In order to avoid this issue, you are to COME IN TOUCH WITH US no later than within 3 DAYS and conclude the data recovery and breach fixing AGREEMENT. ------------------------------------------- | What if I do not contact you in 3 days? | ------------------------------------------- If you do not contact us in the next 3 DAYS we will begin DATA publication. ----------------------------- | I can handle it by myself | ----------------------------- It is your RIGHT, but in this case all your data will be published for public USAGE. ------------------------------- | I do not fear your threats! | ------------------------------- That is not the threat, but the algorithm of our actions. If you have hundreds of millions of UNWANTED dollars, there is nothing to FEAR for you. That is the EXACT AMOUNT of money you will spend for recovery and payouts because of PUBLICATION. -------------------------- | You have convinced me! | -------------------------- Then you need to CONTACT US, there is few ways to DO that. I. Recommended (the most secure method) a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR browser c) Open our website with LIVE CHAT in the TOR browser: http://egregor4u5ipdzhv.onion/65358199A7B76337 d) Follow the instructions on this page. II. If the first method is not suitable for you a) Open our website with LIVE CHAT: https://egregor.top/65358199A7B76337 b) Follow the instructions on this page. Our LIVE SUPPORT is ready to ASSIST YOU on this website. ---------------------------------------- | What will I get in case of agreement | ---------------------------------------- You WILL GET full DECRYPTION of your machines in the network, FULL FILE LISTING of downloaded data, confirmation of downloaded data DELETION from our servers, RECOMMENDATIONS for securing your network perimeter. And the FULL CONFIDENTIALITY ABOUT INCIDENT. ---------------------------------------------------------------------------------- Do not redact this special technical block, we need this to authorize you. ---EGREGOR--- XSlldmn4X6bJxQ9MzGvusCvwCDrYLuvx6PLsDVPud8e+9i/xeEpiIZuCoRJdK3Gof2PVPl9FUAfmU2a4KDPxH8TfYaQBHYVkZXUJdCdvE7YxrJqS760I9yLb+MahINX7kld8JfjfllOLFNEHHH7asgnaasMON/awyV88glEsXut6jAwa02XSnkb+YBXMu1FUAS6dFdrPyKAI4zi9b+31VhRiVrMvJPjlj9s3ft4TJ3odqv6vxdY8CbmRijGM1rFG4Ob1OPRqL3jixPv4D0UnCMa7inU2Xx3tQy19tImlXscvl1tG2jH0/qYt6WWlGTfVOcTb8VpDPHMbsFNIoixYbCwjpoIK3WHJnc9Yf3HsA0aYwi2KPkKzWoPj3na197PTXRrF50LntLS4fPQVCp/rfr4uzzsU35ek2XVmBClrPbEJ9CjQTc32KgDdlqoeZIYTuC/t80QjEgSLfNtfKwOMnab0HUDrdLbY3YEmpWjO+xwrBx12+rGeXT357a/zEIa9mV2UdWe7qat1NhapQqxiL5acddYIPdWaJMDs1bMfSZSV9dj2eWAoWaDzbPsD85wOdM6vtbv+TAognh3+rj1kamTSKD4LUfqTjqnrCyXsOc2FZbF6VfLez5lcwtayfLz7JL+CeiHcQqA91NVBRjp0qIwkxdBOy4dx+OWBBcrWnZkcstUkpyStDz0rvlcP4laF5T6BsUVrvYqX0WEp+JMqXWftya//P24W3IZSqbPvIRx9R0WF3XBd+Iv3Ilons02CEavLNKz9pNxTHHv7pWuBrGL8HJvZYlAgKnr5musd6uwkYy4WbYmmB+rsF3hmC132e2UXArrk4uaV5WrWUXTlpSCwJj+0WqIH+ueKe2TFphrRplRApFOla65/3MUVEBCAgtw/ekEEz8qwT/pqOXYS4ltIA0h3zucGkyE1ZTq8Eq/S6q8oc0MCTAZE70dVmp6iQhfpyzaAKQ8Ftc0dkSCPxOz0RZ/l3SgKXQrRWW2KX1kyPgSN78oAuK/P6rV24co6eUXpABVrDHLOIqW+70M+FW90NMfqWV8QgQZYHTVoRmjpuXOHpuEH+gxKdJExNKj2sD+OKQK9xNfpvkHpG9iWtGdV9SZWSp5qCTuOg6lZSw14RojP4RyawgJWEwhRZRsse+g58SKrZcxRFe8yUdJKvUNhKszw2AA8zs1B5MAivJduHIAhlzGdSEgAqSuW83R6e/3TWF7WEiUxhuYEGNjEMdfW6+aZ/pdS24NIT4SVD3F4Lm58Q2JEq+9Vhqvq9yEeE8xxuqmJi6OBK+PYpk2uSgQ3o0fcir8Hz+gIqJWm7ibnv2eTHwGA2fFvds2djY5Ltb9DQow4GDNAtcj4Y2t4A/uFOzyFedGx6nBqgxxiiX6tcAgU9Bl0NZiOrJ12RcWORmVmMmOdzg4ZOTiq5z92/Sdtt9kkh41sO5JbuzyoxnKde+u+Pnd6owvMSvE1Wl0YFURZwgkbKRK0OEDrsMc1kiz3cbhmgUh+jM1S5HXy1YZpNQekGSMvaKqzGJwqewn/bUSri4C/6XqfmTLqZ6QkjV6nV3dUEc0bHxnsYb15q6/ph/MHfAgqMqCmksxCji/qJtn/XLlb1kJlnFHs1vAhX9USStwBVI/+uG56cKXB9N7Nl88WpYSjW347j7/VY+iduF/w8Dc4fWCjRHZ+AXNwQ0vAt3CqwBXGCxAXH3Q810qZJaeGs77RVmG5OKo5yZyFXNsEEDVGrDzX9QUf0heSyA16MYwRf3V6rzm0ynPRhX33qXtBbD92HaGq7j5QquX1AkP0+lj8qD1w3Ra430Ge7Tx9NWr9JOCgBlfseKa2S1xEktmgJspLDBeY9Itn8qcPbrx/N69UPIcc8S/SMoecOsr8DDfQwzAmFq6sFHYvmpyoMOVsih5L0rmAWMiOjTRRy2krMq5aX0X0YDHMZFXNA3KZFrWl9CNGlQgC2LuNEPiLk7xDJxwFiYaPLQBxt01lZZeO17xuwdCuQAit4KZmIWH6znJHYWaZ6yrQ+Aaeujzo5w22lxkm5MMGtE+RATjU2mzdcddlGuFME7t7WoLcd+AsMg6352LFoFkVj7aoR8S2O+8KRLOp9L+FSralvdKaPSj2P6uBL5HPmzHaT279255/UN46/55iZ2PK7D7iqOs55LQO67NE1RERG6wj7EfwkCClRH0JHtHzN1KptJq06ckeYxR6bauY+FgBNA6NP0vuibPORmFl5u6AT+N78PAYbEJvnggKEAEYASCAAigAOhJNAEsATABVAEYAVgBSAEwAAABCIjYANQAzADUAOAAxADkAOQBBADcAQgA3ADYAMwAzADcAAABKOHwAQwA6AEYAXwAyADQANAAzADMAMQAvADIANgAyADAANAAxAHwARAA6AEMAXwAwAC8AMAB8AAAAUgxBAGQAbQBpAG4AAABoAHIeVwBpAG4AZABvAHcAcwAgADEAMAAgAFAAcgBvAAAAehRXAE8AUgBLAEcAUgBPAFUAUAAAAA== ---EGREGOR---

URLs

http://egregor4u5ipdzhv.onion/65358199A7B76337

https://egregor.top/65358199A7B76337

Targets

- Target
  
  sm.dll
- Size
  
  790KB
- MD5
  
  65c320bc5258d8fa86aa9ffd876291d3
- SHA1
  
  f0215aac7be36a5fedeea51d34d8f8da2e98bf1b
- SHA256
  
  3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f
- SHA512
  
  897f7d24f6d9a53506ee73aaf692b8293906e1f1fe13539e6d3f88fb8bafa0467632233f2b0e5a2ee1de686667c8d10a6c07f27559ff0f0a382a073e71e575e6
Score

10^/10

egregor ransomware
- Egregor Ransomware
  Variant of the Sekhmet ransomware first seen in September 2020.
  ransomware egregor
behavioral1 behavioral2
- Target
  
  spr3.bat
- Size
  
  120B
- MD5
  
  5a93bebc658e9839cd95d418708fc5d8
- SHA1
  
  36f5d83b4f7fc32d85e086d14eb0187e4b09cea4
- SHA256
  
  cf874be4989a99d539cef4c00c73213ac3d0a9aff044927d175eb6a37d7a3a59
- SHA512
  
  f6231d0bce100ac26e41d3b7486a1e7ad6296b967b33c75aa13686800c187e9ac72e98e02c35f7284bf96542bb62da38e9ec2544d6a56c8888b7cbf75d482ee8
Score

10^/10

egregor persistence ransomware spyware
- Egregor Ransomware
  Variant of the Sekhmet ransomware first seen in September 2020.
  ransomware egregor
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Modifies service
  persistence
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Egregor Ransomware

Egregor Ransomware

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4