{"id":2340,"date":"2024-09-25T17:42:08","date_gmt":"2024-09-25T17:42:08","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2340"},"modified":"2025-07-29T03:36:48","modified_gmt":"2025-07-29T03:36:48","slug":"lmntrx-vs-egregor-ransomware","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/lmntrx-vs-egregor-ransomware\/","title":{"rendered":"LMNTRX vs Egregor Ransomware"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Egregor ransomware is a new strain of ransomware found in the wide range of attacks seen in many global organizations in the last couple of weeks. They found to be using similar code obfuscation and packed payloads to escape security detection as Sekhmet. It is a clear indication that Egregor ransomware is a variant of Sekhmet malware, many threat researchers acknowledged that Egregor seems to be derived from the Sekhmet malware family. The threat group brags about their attacks on the dark web by leaking stolen data and other activities.<\/p>\n\n\n\n

INFECTION<\/strong><\/h2>\n\n\n\n

In this article, our researchers collected the samples prevented by the LMNTRIX Active Defense solution from production client networks and conducted their analysis for documenting the techniques used by the adversaries.<\/p>\n\n\n\n

Sample details:<\/p>\n\n\n

\n
\"\"
Egregor Ransomware<\/figcaption><\/figure>\n<\/div>\n\n\n

\u2018q.dll\u2019 is the main ransomware file and other two non-PE files are batch scripts. Let\u2019s check the batch files:<\/p>\n\n\n\n

Batch file\u2019s MD5: 2A7FD15EBE1A1AC21E5F2AA889F26E46<\/p>\n\n\n\n

Contents:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

This script uses bitsadmin tool to transfer the ransomware dll file from the malicious IP address and stores the file inside the windows folder as \u2018q.dll\u2019. Then it calls for registering the dll file to perform the encryption. <\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n

Once the batch file registers this malicious dll (q.dll), the above snapshot shows cryptic data found in the subroutine.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

The IP address found inside this batch script: hxxp:\/\/ 45.153.242(.)129\/q.dll. The second batch file is a truncated file of the first batch, and it contains the command for registering the ransomware dll.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Analysis of the Ransomware sample<\/strong><\/h2>\n\n\n\n

Ransomware file q.dll \u2013 MD5: 3C18331989CB006506338ED1F838430D<\/p>\n\n\n\n

The file compiled using VC++ as like variants of Maze and Netwalker ransomware.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

The export details can be found in the below snapshot:<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n

Based on our analysis to find out the tactics and techniques used by this sample, we found it to be employing the following techniques:<\/p>\n\n\n\n