OSINT - Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
The Egregor ransomware-as-a-service (RaaS) operation continues to leverage tools like Cobalt Strike and Rclone to facilitate payload delivery and data exfiltration. This threat involves sophisticated network activity and external analysis to maximize impact. Although no specific affected software versions or patches are identified, the campaign remains active and poses a medium severity risk. European organizations, especially those with valuable data and critical infrastructure, are at risk due to the ransomware's disruptive potential and data theft capabilities. Mitigation requires targeted network monitoring for Cobalt Strike beacons, restricting unauthorized use of file synchronization tools like Rclone, and enhancing incident response readiness. Countries with high digital infrastructure and previous ransomware targeting, such as Germany, France, and the UK, are likely more exposed. The threat's medium severity reflects moderate ease of exploitation combined with significant confidentiality and availability impacts. Defenders should prioritize detection of lateral movement and exfiltration attempts linked to Egregor activity.
AI Analysis
Technical Summary
Egregor is a ransomware-as-a-service (RaaS) operation that has been active since late 2020, known for combining ransomware payload deployment with data exfiltration to increase pressure on victims. This threat intelligence highlights Egregor's continued use of Cobalt Strike, a legitimate penetration testing tool often abused by threat actors for command and control (C2) and lateral movement within compromised networks. Additionally, the use of Rclone, a command-line program to manage files on cloud storage, indicates the adversaries' focus on exfiltrating large volumes of data stealthily to cloud repositories before or after encryption. The campaign does not specify affected software versions or patches, reflecting that the attack vector is more about exploiting network and system misconfigurations, weak credentials, or phishing rather than a specific software vulnerability. The medium severity rating aligns with the threat's capability to disrupt operations through ransomware encryption and cause significant data confidentiality breaches via exfiltration. The lack of known exploits in the wild suggests that the threat actors rely on social engineering, credential theft, or other initial access methods rather than zero-day vulnerabilities. The intelligence is sourced from CIRCL OSINT feeds and tagged with MISP galaxy ransomware taxonomy, confirming its classification and ongoing relevance. The technical details include a unique identifier and timestamp but no direct exploit code or indicators of compromise, emphasizing the need for behavioral detection methods.
Potential Impact
For European organizations, the Egregor ransomware campaign poses a dual threat: operational disruption due to ransomware encryption and reputational and regulatory damage from data breaches caused by exfiltration. Critical sectors such as finance, healthcare, manufacturing, and government entities are particularly vulnerable due to their reliance on continuous availability and sensitive data handling. The use of Cobalt Strike facilitates deep network penetration and lateral movement, increasing the likelihood of widespread compromise within an organization. Rclone's involvement indicates that attackers can bypass traditional perimeter defenses by transferring data to cloud storage, complicating detection and response. The impact extends beyond immediate financial losses from ransom payments to include long-term costs related to data recovery, legal penalties under GDPR, and erosion of customer trust. European organizations with insufficient network segmentation, weak credential management, or inadequate monitoring of cloud data transfers are at heightened risk. The campaign's medium severity suggests that while exploitation is not trivial, the consequences of a successful attack are significant.
Mitigation Recommendations
European organizations should implement advanced network monitoring to detect Cobalt Strike activity, including unusual beaconing patterns and command and control communications. Deploying endpoint detection and response (EDR) solutions capable of identifying suspicious use of tools like Rclone is critical, as is restricting its use to authorized personnel and systems only. Network segmentation should be enforced to limit lateral movement opportunities for attackers. Multi-factor authentication (MFA) must be mandatory for all remote access and privileged accounts to reduce the risk of credential compromise. Regular phishing awareness training can mitigate initial access vectors commonly exploited by ransomware groups. Organizations should maintain offline, immutable backups to ensure recovery without paying ransom. Incident response plans must include procedures for detecting and responding to data exfiltration attempts, including monitoring outbound traffic to cloud storage services. Collaboration with national cybersecurity centers and sharing threat intelligence can enhance preparedness. Finally, applying threat hunting techniques focused on behavioral indicators associated with Egregor's tactics will improve early detection.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain
Indicators of Compromise
- ip: 45.153.242.129
- ip: 217.8.117.148
- ip: 45.11.19.70
- file: 49.12.104.241
- hash: 81
- ip: 185.238.0.233
- hash: 8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9
- hash: 3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f
- hash: 2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf
- hash: 444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459
- hash: c3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1
- hash: 004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a
- hash: 608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9
- hash: 3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63
- hash: 4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97
- hash: 9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44
- hash: ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541
- hash: 765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab
- hash: 14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4
- hash: 3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55
- hash: f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c
- hash: a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436
- hash: 3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07
- hash: 6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780
- hash: 932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e
- url: http://185.238.0.233/p.dll
- url: http://185.238.0.233/b.dll
- url: http://185.238.0.233/sed.dll
- url: http://185.238.0.233/hnt.dll
- url: http://185.238.0.233/88/k057.exe
- url: http://185.238.0.233/newsvc.zip
- url: http://egregoranrmzapcv.onion
- url: https://egregornews.com/
- url: http://egregor4u5ipdzhv.onion/
- link: https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/
- hash: 6f600974c45eec97016c1259e769a4ef
- hash: 56eed20ea731d28d621723130518ac00bf50170d
- hash: 9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44
- datetime: 2020-12-10T13:44:49+00:00
- link: https://www.virustotal.com/gui/file/9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44/detection/f-9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44-1607607889
- text: 59/70
- hash: 666f8d920f85f9afffcf0865a98efe69
- hash: 50c3b800294f7ee4bde577d99f2118fc1c4ba3b9
- hash: a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436
- datetime: 2021-01-01T01:23:15+00:00
- link: https://www.virustotal.com/gui/file/a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436/detection/f-a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436-1609464195
- text: 54/70
- hash: 44a7085f729b68073b5c67bbc66829cc
- hash: 3c03a1c61932bec2b276600ea52bd2803285ec62
- hash: 8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9
- datetime: 2020-12-16T04:36:39+00:00
- link: https://www.virustotal.com/gui/file/8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9/detection/f-8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9-1608093399
- text: 54/69
- hash: 0de24cec66ef9d1042be7cf12b87cfc4
- hash: f7bf7cea89c6205d78fa42d735d81c1e5c183041
- hash: 765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab
- datetime: 2020-12-30T16:37:33+00:00
- link: https://www.virustotal.com/gui/file/765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab/detection/f-765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab-1609346253
- text: 55/70
- hash: de3110dce011088cd4add1950a49182f
- hash: c9da06e3dbf406aec50bc145cba1a50b26db853a
- hash: 608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9
- datetime: 2020-12-21T17:59:21+00:00
- link: https://www.virustotal.com/gui/file/608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9/detection/f-608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9-1608573561
- text: 0/59
- hash: 8ba3a9d73903bd252f8d99a682d60858
- hash: 95aea6b24ed28c6ad13ec8d7a6f62652b039765e
- hash: 444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459
- datetime: 2020-12-18T09:52:23+00:00
- link: https://www.virustotal.com/gui/file/444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459/detection/f-444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459-1608285143
- text: 14/60
- hash: 81bc3a2409991325c6e71a06f6b7b881
- hash: 38c88de0ece0451b0665f3616c02c2bad77a92a2
- hash: 2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf
- datetime: 2020-12-08T20:04:16+00:00
- link: https://www.virustotal.com/gui/file/2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf/detection/f-2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf-1607457856
- text: 60/68
- hash: 65c320bc5258d8fa86aa9ffd876291d3
- hash: f0215aac7be36a5fedeea51d34d8f8da2e98bf1b
- hash: 3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f
- datetime: 2020-12-30T20:10:05+00:00
- link: https://www.virustotal.com/gui/file/3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f/detection/f-3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f-1609359005
- text: 58/69
- hash: ac33fea4c2a9bbca3559142838441f84
- hash: 948ef8caef5c1254be551cab8a64c687ea0faf84
- hash: 932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e
- datetime: 2020-12-14T11:31:47+00:00
- link: https://www.virustotal.com/gui/file/932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e/detection/f-932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e-1607945507
- text: 57/69
- hash: dd8e8bfb45fcd5f0621fe7085bfcab94
- hash: 5c99dc80ca69ce0f2d9b4f790ec1b57dba7153c9
- hash: 3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07
- datetime: 2020-12-08T20:09:40+00:00
- link: https://www.virustotal.com/gui/file/3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07/detection/f-3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07-1607458180
- text: 55/70
- hash: 427105821263afeeccca05b43ea8dac4
- hash: fa33fd577f5eb4813bc69dce891361871cda860c
- hash: ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541
- datetime: 2020-12-11T02:01:31+00:00
- link: https://www.virustotal.com/gui/file/ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541/detection/f-ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541-1607652091
- text: 56/69
- hash: d1aa0f26f557addd45e0d9fa4afecf15
- hash: f1603f1ddf52391b16ee9e73e68f5dd405ab06b0
- hash: 14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4
- datetime: 2020-12-10T13:38:09+00:00
- link: https://www.virustotal.com/gui/file/14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4/detection/f-14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4-1607607489
- text: 57/70
- hash: a922987d1488e2dede7e39a99faf98bb
- hash: beb48c2a7ff957d467d9199c954b89f8411d3ca8
- hash: 6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780
- datetime: 2020-12-08T20:11:25+00:00
- link: https://www.virustotal.com/gui/file/6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780/detection/f-6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780-1607458285
- text: 57/67
- hash: 5f9fcbdf7ad86583eb2bbcaa5741d88a
- hash: 03cdec4a0a63a016d0767650cdaf1d4d24669795
- hash: 004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a
- datetime: 2020-12-11T07:11:00+00:00
- link: https://www.virustotal.com/gui/file/004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a/detection/f-004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a-1607670660
- text: 58/68
- hash: 9b7ccaa2ae6a5b96e3110ebcbc4311f6
- hash: 3cc616d959eb2fe59642102f0565c0e55ee67dbc
- hash: c3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1
- datetime: 2020-12-08T20:00:16+00:00
- link: https://www.virustotal.com/gui/file/c3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1/detection/f-c3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1-1607457616
- text: 59/70
- hash: 1d6aa29e98d3f54b8c891929c34eb426
- hash: ceca1a691c736632b3e98f2ed5b028d33c0f3c64
- hash: 3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63
- datetime: 2020-12-10T13:40:24+00:00
- link: https://www.virustotal.com/gui/file/3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63/detection/f-3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63-1607607624
- text: 55/70
- hash: c3c7a97da396085eb48953e638c3c9c6
- hash: 8768cf56e12a81d838e270dca9b82d30c35d026e
- hash: 3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55
- datetime: 2021-01-04T14:00:43+00:00
- link: https://www.virustotal.com/gui/file/3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55/detection/f-3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55-1609768843
- text: 58/70
- hash: c96df334b5ed70473ec6a58a545208b6
- hash: f6ad7b0a1d93b7a70e286b87f423119daa4ea4df
- hash: 4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97
- datetime: 2020-12-26T00:01:37+00:00
- link: https://www.virustotal.com/gui/file/4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97/detection/f-4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97-1608940897
- text: 54/69
- hash: 7375083934dd17f0532da3bd6770ab25
- hash: ac6d919b313bbb18624d26745121fca3e4ae0fd3
- hash: f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c
- datetime: 2020-12-29T02:03:45+00:00
- link: https://www.virustotal.com/gui/file/f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c/detection/f-f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c-1609207425
- text: 25/60
- text: RSA
- text: pWEzuKkw9nY82VRKYfrw4f4wvrnfnKEApQ5JTkf/YQPzxJtJmwKUjXV759aYQnPIZdGN1RUckdpMZWiYGmsWFYzkNJZpsPihvk9c14zLJDJdmpitYvoy22JFox9iBHqhFAjDC37kzpVH6bafVABdUgUdr0r2EzK+ysJBiR0Ge28ToH94wJTXwBC7hi3G42vk4KmLncPm55NUuz9ZzQ+xqovtN/RyDNL8MDbW4lHWe9Lmi5qlNN/ckIgwDh+sI1rO/T+DmS1Uoo62QWeYTgmlRaCp91AfeC7mNFkXvXUVMs3GlqpIrgbMLPBbBi04sra/pmXp9oteZK4b1fAWKgDZ2B0f11AiX9SFIpJn8odT+Z0tVL2H8IKvANB1507SGq3S2JR3a6SLGODy3yjm3vwfnyaVqL1gNNudkDc5dLVx0tavBj2h5v1PMDCFYpuSZ56qYY1VeQfA56bsPKI2J102ztOktaFmU9jI3G3oxBCV9j1JKOJhltPRjyXAmg9o3sqB5VCxPzmMIL+bxJnEelHdBzVdRpY4pPyEPmdrn2mQ5sXwIA1RfdvF9JruxQF/0yl2WKqK0CE4pKazQWdrYdQaLTPCdMxZv7JKO8Dy5vyHBW08+UTJEuEiQa6Q/1qVkGipUPgK4Wpg3iP6xas9SaV1ovy1o2yC0beVhD+Ean6/5/lfIiG1w/ouzyq0Vprhfmr59ftnduimCDgAPi9mv2Fzg1BcGYt5P0qE7Ya0ycGFyvNvS2eoiA5mjvN67R6jeJ8JF0fPnz7O2QMldjZj0uVfAoMHlgaRP74vOKfOzFHCiPhyXwe8V9Wd3xjctlG4PCVMuUvYn7BFSW82AMefXIWTeIhHD4UdoAuZ3sHsgsFyyaTdVo1WCEWJtMMN0FOyhF0m1R5ozQPJSyuaOUzrDU1fKD57v3Cf5T860kath1w+CQAeWXdbXSR0mvN45rPgYN24qVvvB6kle5Vr20x0EZJ4viCERcreKcJqOV/0GwZU4BR8jUGQkokgD3UvJQf0Vu4mIv6vLZUtvRvEl3URsZNWh7nnKR5jjq3Tx911IH+UQznFncGD402REUpyADZpv0aRfyMZzZFecaxlo/EMS8lhkeukkZQJiwXJH2SV77olADcOfnaOQEq+YU23kRJf+YOdKW3E9NsqF1MKLTdn5+31ka4OyN7wed9HVyJj+clXkNT/YJkS/E869Hm1MPBQv+25451tiXgGcKo/9L5BFmmy77TxYuZMjuRVIanXWwK8tQ+kz0gEj1BG4I477yrhqN2yaQQ2cZ7QhpNPFlnsereCoI8rNBRBp/VgxKS+AKqkKj9UyghlABrYlRypEsM7FDC44tvDJILfb+9IL70qEe+BdPmIIv4/HWHJSEI7K9MWLah7cX4OGLG2eqT9pSkLISFvyEM+9ylo3WYWx2G0m5s0r7O+jRAOdZ1Joy5eGx7PPRCnVcEv0IyhNnFpz4HsNibUAR664rZ+Os05SDNitn3t8RgtAcvTdNHAbtNGLZZj/7KFIyGb1f37teR9/oty8BFsaHhRNVHx22+u+AFR/HbucnbY+prvzAWY3dpjQIO2O+3HoCuz2MXx5gFIfJ0pIA6V9px/j4LOPGPfN159CRItKeOy3ZLtKByaD+FwHBzYHpIWgCvL2vWo+eRWF66oYNvDhB5yVtDgXx0LU789ypKu/vjuvo7obGEoF3NoxJhmNS4DfVMzsy4YdBRhHrBfF36a8ahFSBApu9cd0RmuT09hKmV7m+EGGCXr+MNvzlFQSMzt5Ce5Mj9w507PN/IDLQz8h6236WGZSH2iM2PGUq/UF1wADoHSjPXRcfPparHHHPTcZZkil4HMWP6Y+gDlN0BKKl9ntqyd8QiiqDqwcJIZZG4Jm6lRIhvpBZ14P+z83zePzjMNhVkNVnU4sfDRaemkxZFPF+hGM/PEvqFuEOsX4LfWxOpwLAf+OLLpe71+6QdKDAcwf6553t0TOPCqGr3B+flGGAhi0pqCeAsB0KzS28MakLBxJQPkR/E+F0tHmwBYCCl0haxZnBZ9rJVApq2rAAENA2gQLPaStc0DzrdkIRY6r789la7OzAUqvcTyX8fq/xfYJpz+zUt4PUcVWxoO1+1g9+BpCAlPgZEkIKSbqoSNtkeIMz65CthNiCsX817p8nqBb4BdpcuCihoL49fK6fn/WUnj3xaTiQuNDnvcW9NARgIzqu2lvsZa+qvDBW99gsaeLb4feNlGqZUk98zht7GvywgFEAEYASCAAigAOg5QAEgAWABGAFMAMgAAAEIiQgAwADIARAAwAEYAMwAyAEEAMQBDADkAMgBFADAAOAAAAEqQAXwAQQA6AFIAXwAwAC8AMAB8AEMAOgBGAF8ANAA0ADMAMAA4AC8ANwA2ADQANAA3AHwARAA6AEMAXwAwAC8AMAB8AEUAOgBGAF8AMQA3ADEANgA0ADQALwAyADAAOQA3ADEANAA5AHwARgA6AEYAXwAyADkANAA5ADQANQAvADIAMAA0ADcAOAA2ADgAfAAAAFIQagBnAHIAYQBuAGoAYQAAAGgDckBXAGkAbgBkAG8AdwBzACAAUwBlAHIAdgBlAHIAIAAyADAAMQAyACAAUgAyACAAUwB0AGEAbgBkAGEAcgBkAAAAehJJAE0AUABSAEkATQBJAFMAAAA=
- text: malware-extraction
OSINT - Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
Description
The Egregor ransomware-as-a-service (RaaS) operation continues to leverage tools like Cobalt Strike and Rclone to facilitate payload delivery and data exfiltration. This threat involves sophisticated network activity and external analysis to maximize impact. Although no specific affected software versions or patches are identified, the campaign remains active and poses a medium severity risk. European organizations, especially those with valuable data and critical infrastructure, are at risk due to the ransomware's disruptive potential and data theft capabilities. Mitigation requires targeted network monitoring for Cobalt Strike beacons, restricting unauthorized use of file synchronization tools like Rclone, and enhancing incident response readiness. Countries with high digital infrastructure and previous ransomware targeting, such as Germany, France, and the UK, are likely more exposed. The threat's medium severity reflects moderate ease of exploitation combined with significant confidentiality and availability impacts. Defenders should prioritize detection of lateral movement and exfiltration attempts linked to Egregor activity.
AI-Powered Analysis
Technical Analysis
Egregor is a ransomware-as-a-service (RaaS) operation that has been active since late 2020, known for combining ransomware payload deployment with data exfiltration to increase pressure on victims. This threat intelligence highlights Egregor's continued use of Cobalt Strike, a legitimate penetration testing tool often abused by threat actors for command and control (C2) and lateral movement within compromised networks. Additionally, the use of Rclone, a command-line program to manage files on cloud storage, indicates the adversaries' focus on exfiltrating large volumes of data stealthily to cloud repositories before or after encryption. The campaign does not specify affected software versions or patches, reflecting that the attack vector is more about exploiting network and system misconfigurations, weak credentials, or phishing rather than a specific software vulnerability. The medium severity rating aligns with the threat's capability to disrupt operations through ransomware encryption and cause significant data confidentiality breaches via exfiltration. The lack of known exploits in the wild suggests that the threat actors rely on social engineering, credential theft, or other initial access methods rather than zero-day vulnerabilities. The intelligence is sourced from CIRCL OSINT feeds and tagged with MISP galaxy ransomware taxonomy, confirming its classification and ongoing relevance. The technical details include a unique identifier and timestamp but no direct exploit code or indicators of compromise, emphasizing the need for behavioral detection methods.
Potential Impact
For European organizations, the Egregor ransomware campaign poses a dual threat: operational disruption due to ransomware encryption and reputational and regulatory damage from data breaches caused by exfiltration. Critical sectors such as finance, healthcare, manufacturing, and government entities are particularly vulnerable due to their reliance on continuous availability and sensitive data handling. The use of Cobalt Strike facilitates deep network penetration and lateral movement, increasing the likelihood of widespread compromise within an organization. Rclone's involvement indicates that attackers can bypass traditional perimeter defenses by transferring data to cloud storage, complicating detection and response. The impact extends beyond immediate financial losses from ransom payments to include long-term costs related to data recovery, legal penalties under GDPR, and erosion of customer trust. European organizations with insufficient network segmentation, weak credential management, or inadequate monitoring of cloud data transfers are at heightened risk. The campaign's medium severity suggests that while exploitation is not trivial, the consequences of a successful attack are significant.
Mitigation Recommendations
European organizations should implement advanced network monitoring to detect Cobalt Strike activity, including unusual beaconing patterns and command and control communications. Deploying endpoint detection and response (EDR) solutions capable of identifying suspicious use of tools like Rclone is critical, as is restricting its use to authorized personnel and systems only. Network segmentation should be enforced to limit lateral movement opportunities for attackers. Multi-factor authentication (MFA) must be mandatory for all remote access and privileged accounts to reduce the risk of credential compromise. Regular phishing awareness training can mitigate initial access vectors commonly exploited by ransomware groups. Organizations should maintain offline, immutable backups to ensure recovery without paying ransom. Incident response plans must include procedures for detecting and responding to data exfiltration attempts, including monitoring outbound traffic to cloud storage services. Collaboration with national cybersecurity centers and sharing threat intelligence can enhance preparedness. Finally, applying threat hunting techniques focused on behavioral indicators associated with Egregor's tactics will improve early detection.
Affected Countries
Technical Details
- Uuid
- f42c106c-df01-47f3-bc36-16072ad63856
- Original Timestamp
- 1609779788
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip45.153.242.129 | — | |
ip217.8.117.148 | — | |
ip45.11.19.70 | — | |
ip185.238.0.233 | — |
File
| Value | Description | Copy |
|---|---|---|
file49.12.104.241 | On port 81 |
Hash
| Value | Description | Copy |
|---|---|---|
hash81 | On port 81 | |
hash8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9 | — | |
hash3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f | — | |
hash2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf | — | |
hash444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459 | — | |
hashc3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1 | — | |
hash004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a | — | |
hash608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9 | — | |
hash3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63 | — | |
hash4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97 | — | |
hash9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44 | — | |
hashee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541 | — | |
hash765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab | — | |
hash14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4 | — | |
hash3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55 | — | |
hashf0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c | — | |
hasha9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436 | — | |
hash3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07 | — | |
hash6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780 | — | |
hash932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e | — | |
hash6f600974c45eec97016c1259e769a4ef | — | |
hash56eed20ea731d28d621723130518ac00bf50170d | — | |
hash9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44 | — | |
hash666f8d920f85f9afffcf0865a98efe69 | — | |
hash50c3b800294f7ee4bde577d99f2118fc1c4ba3b9 | — | |
hasha9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436 | — | |
hash44a7085f729b68073b5c67bbc66829cc | — | |
hash3c03a1c61932bec2b276600ea52bd2803285ec62 | — | |
hash8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9 | — | |
hash0de24cec66ef9d1042be7cf12b87cfc4 | — | |
hashf7bf7cea89c6205d78fa42d735d81c1e5c183041 | — | |
hash765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab | — | |
hashde3110dce011088cd4add1950a49182f | — | |
hashc9da06e3dbf406aec50bc145cba1a50b26db853a | — | |
hash608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9 | — | |
hash8ba3a9d73903bd252f8d99a682d60858 | — | |
hash95aea6b24ed28c6ad13ec8d7a6f62652b039765e | — | |
hash444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459 | — | |
hash81bc3a2409991325c6e71a06f6b7b881 | — | |
hash38c88de0ece0451b0665f3616c02c2bad77a92a2 | — | |
hash2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf | — | |
hash65c320bc5258d8fa86aa9ffd876291d3 | — | |
hashf0215aac7be36a5fedeea51d34d8f8da2e98bf1b | — | |
hash3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f | — | |
hashac33fea4c2a9bbca3559142838441f84 | — | |
hash948ef8caef5c1254be551cab8a64c687ea0faf84 | — | |
hash932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e | — | |
hashdd8e8bfb45fcd5f0621fe7085bfcab94 | — | |
hash5c99dc80ca69ce0f2d9b4f790ec1b57dba7153c9 | — | |
hash3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07 | — | |
hash427105821263afeeccca05b43ea8dac4 | — | |
hashfa33fd577f5eb4813bc69dce891361871cda860c | — | |
hashee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541 | — | |
hashd1aa0f26f557addd45e0d9fa4afecf15 | — | |
hashf1603f1ddf52391b16ee9e73e68f5dd405ab06b0 | — | |
hash14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4 | — | |
hasha922987d1488e2dede7e39a99faf98bb | — | |
hashbeb48c2a7ff957d467d9199c954b89f8411d3ca8 | — | |
hash6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780 | — | |
hash5f9fcbdf7ad86583eb2bbcaa5741d88a | — | |
hash03cdec4a0a63a016d0767650cdaf1d4d24669795 | — | |
hash004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a | — | |
hash9b7ccaa2ae6a5b96e3110ebcbc4311f6 | — | |
hash3cc616d959eb2fe59642102f0565c0e55ee67dbc | — | |
hashc3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1 | — | |
hash1d6aa29e98d3f54b8c891929c34eb426 | — | |
hashceca1a691c736632b3e98f2ed5b028d33c0f3c64 | — | |
hash3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63 | — | |
hashc3c7a97da396085eb48953e638c3c9c6 | — | |
hash8768cf56e12a81d838e270dca9b82d30c35d026e | — | |
hash3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55 | — | |
hashc96df334b5ed70473ec6a58a545208b6 | — | |
hashf6ad7b0a1d93b7a70e286b87f423119daa4ea4df | — | |
hash4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97 | — | |
hash7375083934dd17f0532da3bd6770ab25 | — | |
hashac6d919b313bbb18624d26745121fca3e4ae0fd3 | — | |
hashf0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://185.238.0.233/p.dll | — | |
urlhttp://185.238.0.233/b.dll | — | |
urlhttp://185.238.0.233/sed.dll | — | |
urlhttp://185.238.0.233/hnt.dll | — | |
urlhttp://185.238.0.233/88/k057.exe | — | |
urlhttp://185.238.0.233/newsvc.zip | — | |
urlhttp://egregoranrmzapcv.onion | — | |
urlhttps://egregornews.com/ | — | |
urlhttp://egregor4u5ipdzhv.onion/ | Payment Portal |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/ | — | |
linkhttps://www.virustotal.com/gui/file/9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44/detection/f-9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44-1607607889 | — | |
linkhttps://www.virustotal.com/gui/file/a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436/detection/f-a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436-1609464195 | — | |
linkhttps://www.virustotal.com/gui/file/8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9/detection/f-8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9-1608093399 | — | |
linkhttps://www.virustotal.com/gui/file/765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab/detection/f-765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab-1609346253 | — | |
linkhttps://www.virustotal.com/gui/file/608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9/detection/f-608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9-1608573561 | — | |
linkhttps://www.virustotal.com/gui/file/444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459/detection/f-444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459-1608285143 | — | |
linkhttps://www.virustotal.com/gui/file/2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf/detection/f-2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf-1607457856 | — | |
linkhttps://www.virustotal.com/gui/file/3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f/detection/f-3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f-1609359005 | — | |
linkhttps://www.virustotal.com/gui/file/932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e/detection/f-932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e-1607945507 | — | |
linkhttps://www.virustotal.com/gui/file/3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07/detection/f-3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07-1607458180 | — | |
linkhttps://www.virustotal.com/gui/file/ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541/detection/f-ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541-1607652091 | — | |
linkhttps://www.virustotal.com/gui/file/14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4/detection/f-14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4-1607607489 | — | |
linkhttps://www.virustotal.com/gui/file/6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780/detection/f-6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780-1607458285 | — | |
linkhttps://www.virustotal.com/gui/file/004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a/detection/f-004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a-1607670660 | — | |
linkhttps://www.virustotal.com/gui/file/c3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1/detection/f-c3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1-1607457616 | — | |
linkhttps://www.virustotal.com/gui/file/3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63/detection/f-3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63-1607607624 | — | |
linkhttps://www.virustotal.com/gui/file/3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55/detection/f-3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55-1609768843 | — | |
linkhttps://www.virustotal.com/gui/file/4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97/detection/f-4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97-1608940897 | — | |
linkhttps://www.virustotal.com/gui/file/f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c/detection/f-f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c-1609207425 | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2020-12-10T13:44:49+00:00 | — | |
datetime2021-01-01T01:23:15+00:00 | — | |
datetime2020-12-16T04:36:39+00:00 | — | |
datetime2020-12-30T16:37:33+00:00 | — | |
datetime2020-12-21T17:59:21+00:00 | — | |
datetime2020-12-18T09:52:23+00:00 | — | |
datetime2020-12-08T20:04:16+00:00 | — | |
datetime2020-12-30T20:10:05+00:00 | — | |
datetime2020-12-14T11:31:47+00:00 | — | |
datetime2020-12-08T20:09:40+00:00 | — | |
datetime2020-12-11T02:01:31+00:00 | — | |
datetime2020-12-10T13:38:09+00:00 | — | |
datetime2020-12-08T20:11:25+00:00 | — | |
datetime2020-12-11T07:11:00+00:00 | — | |
datetime2020-12-08T20:00:16+00:00 | — | |
datetime2020-12-10T13:40:24+00:00 | — | |
datetime2021-01-04T14:00:43+00:00 | — | |
datetime2020-12-26T00:01:37+00:00 | — | |
datetime2020-12-29T02:03:45+00:00 | — |
Text
| Value | Description | Copy |
|---|---|---|
text59/70 | — | |
text54/70 | — | |
text54/69 | — | |
text55/70 | — | |
text0/59 | — | |
text14/60 | — | |
text60/68 | — | |
text58/69 | — | |
text57/69 | — | |
text55/70 | — | |
text56/69 | — | |
text57/70 | — | |
text57/67 | — | |
text58/68 | — | |
text59/70 | — | |
text55/70 | — | |
text58/70 | — | |
text54/69 | — | |
text25/60 | — | |
textRSA | — | |
textpWEzuKkw9nY82VRKYfrw4f4wvrnfnKEApQ5JTkf/YQPzxJtJmwKUjXV759aYQnPIZdGN1RUckdpMZWiYGmsWFYzkNJZpsPihvk9c14zLJDJdmpitYvoy22JFox9iBHqhFAjDC37kzpVH6bafVABdUgUdr0r2EzK+ysJBiR0Ge28ToH94wJTXwBC7hi3G42vk4KmLncPm55NUuz9ZzQ+xqovtN/RyDNL8MDbW4lHWe9Lmi5qlNN/ckIgwDh+sI1rO/T+DmS1Uoo62QWeYTgmlRaCp91AfeC7mNFkXvXUVMs3GlqpIrgbMLPBbBi04sra/pmXp9oteZK4b1fAWKgDZ2B0f11AiX9SFIpJn8odT+Z0tVL2H8IKvANB1507SGq3S2JR3a6SLGODy3yjm3vwfnyaVqL1gNNudkDc5dLVx0tavBj2h5v1PMDCFYpuSZ56qYY1VeQfA56bsPKI2J102ztOktaFmU9jI3G3oxBCV9j1JKOJhltPRjyXAmg9o3sqB5VCxPzmMIL+bxJnEelHdBzVdRpY4pPyEPmdrn2mQ5sXwIA1RfdvF9JruxQF/0yl2WKqK0CE4pKazQWdrYdQaLTPCdMxZv7JKO8Dy5vyHBW08+UTJEuEiQa6Q/1qVkGipUPgK4Wpg3iP6xas9SaV1ovy1o2yC0beVhD+Ean6/5/lfIiG1w/ouzyq0Vprhfmr59ftnduimCDgAPi9mv2Fzg1BcGYt5P0qE7Ya0ycGFyvNvS2eoiA5mjvN67R6jeJ8JF0fPnz7O2QMldjZj0uVfAoMHlgaRP74vOKfOzFHCiPhyXwe8V9Wd3xjctlG4PCVMuUvYn7BFSW82AMefXIWTeIhHD4UdoAuZ3sHsgsFyyaTdVo1WCEWJtMMN0FOyhF0m1R5ozQPJSyuaOUzrDU1fKD57v3Cf5T860kath1w+CQAeWXdbXSR0mvN45rPgYN24qVvvB6kle5Vr20x0EZJ4viCERcreKcJqOV/0GwZU4BR8jUGQkokgD3UvJQf0Vu4mIv6vLZUtvRvEl3URsZNWh7nnKR5jjq3Tx911IH+UQznFncGD402REUpyADZpv0aRfyMZzZFecaxlo/EMS8lhkeukkZQJiwXJH2SV77olADcOfnaOQEq+YU23kRJf+YOdKW3E9NsqF1MKLTdn5+31ka4OyN7wed9HVyJj+clXkNT/YJkS/E869Hm1MPBQv+25451tiXgGcKo/9L5BFmmy77TxYuZMjuRVIanXWwK8tQ+kz0gEj1BG4I477yrhqN2yaQQ2cZ7QhpNPFlnsereCoI8rNBRBp/VgxKS+AKqkKj9UyghlABrYlRypEsM7FDC44tvDJILfb+9IL70qEe+BdPmIIv4/HWHJSEI7K9MWLah7cX4OGLG2eqT9pSkLISFvyEM+9ylo3WYWx2G0m5s0r7O+jRAOdZ1Joy5eGx7PPRCnVcEv0IyhNnFpz4HsNibUAR664rZ+Os05SDNitn3t8RgtAcvTdNHAbtNGLZZj/7KFIyGb1f37teR9/oty8BFsaHhRNVHx22+u+AFR/HbucnbY+prvzAWY3dpjQIO2O+3HoCuz2MXx5gFIfJ0pIA6V9px/j4LOPGPfN159CRItKeOy3ZLtKByaD+FwHBzYHpIWgCvL2vWo+eRWF66oYNvDhB5yVtDgXx0LU789ypKu/vjuvo7obGEoF3NoxJhmNS4DfVMzsy4YdBRhHrBfF36a8ahFSBApu9cd0RmuT09hKmV7m+EGGCXr+MNvzlFQSMzt5Ce5Mj9w507PN/IDLQz8h6236WGZSH2iM2PGUq/UF1wADoHSjPXRcfPparHHHPTcZZkil4HMWP6Y+gDlN0BKKl9ntqyd8QiiqDqwcJIZZG4Jm6lRIhvpBZ14P+z83zePzjMNhVkNVnU4sfDRaemkxZFPF+hGM/PEvqFuEOsX4LfWxOpwLAf+OLLpe71+6QdKDAcwf6553t0TOPCqGr3B+flGGAhi0pqCeAsB0KzS28MakLBxJQPkR/E+F0tHmwBYCCl0haxZnBZ9rJVApq2rAAENA2gQLPaStc0DzrdkIRY6r789la7OzAUqvcTyX8fq/xfYJpz+zUt4PUcVWxoO1+1g9+BpCAlPgZEkIKSbqoSNtkeIMz65CthNiCsX817p8nqBb4BdpcuCihoL49fK6fn/WUnj3xaTiQuNDnvcW9NARgIzqu2lvsZa+qvDBW99gsaeLb4feNlGqZUk98zht7GvywgFEAEYASCAAigAOg5QAEgAWABGAFMAMgAAAEIiQgAwADIARAAwAEYAMwAyAEEAMQBDADkAMgBFADAAOAAAAEqQAXwAQQA6AFIAXwAwAC8AMAB8AEMAOgBGAF8ANAA0ADMAMAA4AC8ANwA2ADQANAA3AHwARAA6AEMAXwAwAC8AMAB8AEUAOgBGAF8AMQA3ADEANgA0ADQALwAyADAAOQA3ADEANAA5AHwARgA6AEYAXwAyADkANAA5ADQANQAvADIAMAA0ADcAOAA2ADgAfAAAAFIQagBnAHIAYQBuAGoAYQAAAGgDckBXAGkAbgBkAG8AdwBzACAAUwBlAHIAdgBlAHIAIAAyADAAMQAyACAAUgAyACAAUwB0AGEAbgBkAGEAcgBkAAAAehJJAE0AUABSAEkATQBJAFMAAAA= | — | |
textmalware-extraction | — |
Threat ID: 68359c9f5d5f0974d01fc07a
Added to database: 5/27/2025, 11:06:07 AM
Last enriched: 12/24/2025, 6:12:36 AM
Last updated: 2/7/2026, 11:25:19 AM
Views: 37
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.