• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Jointworm Group (Evilnum) Targeting Financial Sector
October 23, 2020
Rewterz Threat Alert – Microsoft Squatting Campaign
October 23, 2020

Rewterz Threat Alert – Egregor Ransomware – IoCs

October 23, 2020

Severity

High

Analysis Summary

Ransomware Egregor has been infecting multiple organizations around the world. The threat group behind this malware seems to operate by hacking into companies, stealing sensitive data, and then running Egregor to encrypt all the files. According to the ransom note, if the ransom is not paid by the company within 3 days, then aside from leaking part of the stolen data, they will distribute it via mass media where the company’s partners and clients will know that the company was attacked. The code seems to be a spinoff of the Sekhmet ransomware (itself named for the Egyptian goddess of healing). The analyzed sample has many anti-analysis techniques in place, such as code obfuscation and packed payloads. Also, in one of the execution stages, the Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided. There’s also an “Egregor news” website, hosted on the deep web, which the criminal group uses to leak stolen data. There are at least 13 different companies whose data has been exposed as a victim-shaming tactic.

Impact

  • Files Encryption
  • Exposure of sensitive information
  • Confidentiality breach

Indicators of Compromise

MD5

  • 627c2219a80245a25e4fe9843ac2a021
  • a654b3a37c27810db180822b72ad6d3e
  • 4c36c3533a283e1aa199f80e20d264b9
  • b554791b5b161c34b0a7d26e34a88e60
  • 7dd1a1a0eefc5a653a30010f475cc37c
  • 5f9fcbdf7ad86583eb2bbcaa5741d88a
  • 43445fbe21cf3512724646a284d3e5d7
  • 16a9c2917577e732cd6630b08e248443
  • 65c320bc5258d8fa86aa9ffd876291d3
  • 1cce0c0d67fe7f51f335a12138698403
  • d6fa64f36eab990669f0b81f84b9a78a
  • b9dcee839437a917dde60eff9b6014b1

SHA-256

  • 967422de1acc14deb7e7ce803d86aff44e2652bfcd550e3a34c2e37abc883dee
  • 4c9e3ffda0e663217638e6192a093bbc23cd9ebfbdf6d2fc683f331beaee0321
  • aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7
  • 7caed5f406445c788543f55af6d98a8bc4f0c104e6a51e2564dd37b6a485cc18
  • 92d72d4c1aaef1983a05bb65ee540236b98fdab4ca382d15a845ab6d07ea1fb8
  • 004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a
  • 28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6
  • a376fd507afe8a1b5d377d18436e5701702109ac9d3e7026d19b65a7d313b332
  • 3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f
  • c1c4e677b36a2ee6ae858546e727e73cc38c95c9024c724f939178b3c03de906
  • 9c900078cc6061fb7ba038ee5c065a45112665f214361d433fc3906bf288e0eb
  • 2d01c32d51e4bbb986255e402da4624a61b8ae960532fbb7bb0d3b0080cb9946

SHA1

  • e0caae0804957c5e31c53dd320ca83a5465169c9
  • d2d9484276a208641517a2273d96f34de1394b8e
  • f73e31d11f462f522a883c8f8f06d44f8d3e2f01
  • ac634854448eb8fcd3abf49c8f37cd21f4282dde
  • e27725074f7bc55014885921b7ec8b5319b1ef8f
  • 03cdec4a0a63a016d0767650cdaf1d4d24669795
  • 07d4bcb5b969a01fb21dc28e5cb1b7ceb05f2912
  • bd8c52bb1f5c034f11f3048e2ed89b7b8ff39261
  • f0215aac7be36a5fedeea51d34d8f8da2e98bf1b
  • 7bc6c2d714e88659b26b6b8ed6681b1f91eef6af
  • ed5b60a640a19afe8d1281bf691f40bac34eba8a
  • 069ef8443df750e9f72ebe4ed93c3e472a2396e2

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download untrusted email attachments coming from unknown email addresses.
  • Keep all systems and software updated to latest patched versions.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.