{ "id": "823260c9-5eed-4bea-a976-1e1db87e34fd", "created_at": "2026-04-06T00:09:42.147562Z", "updated_at": "2026-04-10T03:20:57.002709Z", "deleted_at": null, "sha1_hash": "bd5b68797475c9c279c2f0f914c8d56fda9928f3", "title": "Egregor – Prolock: Fraternal Twins ?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 97493, "plain_text": "Egregor – Prolock: Fraternal Twins ?\r\nBy Equipe CERT\r\nPublished: 2020-11-12 · Archived: 2026-04-05 17:21:35 UTC\r\nCERT Intrinsec has faced since the beginning of September several cases involving Egregor and Prolock ransomwares. This\r\narticle aims at presenting Egregor and Prolock techniques, tactics and procedures, as well as sharing indicators of\r\ncompromise and highlighting actions of the threat actor operating both ransomwares, according to collected intelligence\r\nand TTPs analysis.\r\nOn one hand, Egregor has a similar strategy to other ransomwares, as it exfiltrates data, encrypts files and publishes them\r\non its website in order to make victims pay the ransom. It is active since the beginning of September 2020 and impacts many\r\nsectors from insurance to transport. Its goal is lucrative.\r\nOn the other hand, Prolock, successor of PwndLocker, is active since March 2020. As many other ransomwares, it targets\r\nbig companies with ransoms going from 35 to 255 bitcoins (400 000 to 3 000 000 $). Its goal is, as far as we know, only\r\nlucrative. Prolock is active mainly in Northern America and in Europe and impacts several sectors, such as health,\r\nconstruction, finance, legal, etc.\r\nKill chain\r\nEgregor ransomware analysis\r\nInitial access\r\nWe were not able to find identified specific initial accesses, we found traces of Qakbot during investigations but we could\r\nnot identify how it was dropped on information systems. We observed many potential intrusion vectors on patient 0 (many\r\nmalwares were found on the machine).\r\nInternal reconnaissance\r\nPrior to privilege escalation, Egregor proceeds to Active Directory reconnaissance using tools such as Sharphound or\r\nAdFind. These tools are used to gather information about users, groups, computers, and so on. They aim as well at finding\r\nthe best compromission paths.\r\nPrivilege escalation\r\nDuring investigations, Egregor compromises Active Directory in order to become domain admin.\r\nLateral movement\r\nEgregor moves laterally on information systems using CobaltStrike SMB beacons. This feature allows an attacker to use\r\nSMB named pipes (logical connections between a client and a server) to communicate commands through the information\r\nsystem revealing C2 IP address.\r\nThe following command line is a service created by CobaltStrike and can be found in Windows Event Logs (event id 7045).\r\nIt runs an encoded powershell command.\r\nCobaltStrike service execution\r\nIt is possible to deobfuscate CobaltStrike payloads (base64, gunzip and XOR operations) using CyberChef[1]:\r\nCobaltStrike payload deobfuscation\r\nC2 Communication\r\nOnce settles on victim’s information systems, Egregor communicates with its Command and Control servers via HTTPS\r\nprotocol so as to drop scripts or dynamic link libraries on infected hosts. You can find the list of C2 identified during\r\ninvestigations in section “IP Addresses”.\r\nData exfiltration\r\nhttps://www.intrinsec.com/egregor-prolock/\r\nPage 1 of 7\n\nEgregor masquerades svchost.exe process to launch an RClone client in order to exfiltrate data. RClone aims at managing\r\nfiles in cloud, it deals with multiple systems and protocols. The RClone configuration file, in plain text, is dropped by the\r\nattacker with the binary. Based on investigations and OSINT, we know that Egregor used at least three different\r\nconfigurations to exfiltrate data.\r\nRClone Configuration File (WebDav)\r\nRClone Configuration File (sFTP)\r\nRClone Configuration File (DropBox)\r\nDefense evasion\r\nTo evade protections, Egregor create a Group Policy Object to disable Windows Defender and try to takedown any anti-virus\r\nconsole prior to ransomware execution:\r\nDisplay name: New Group Policy Object\r\nVersion: 1\r\nregistry.pol content:\r\n- Key path: Software\\Policies\\Microsoft\\Windows Defender\r\n- Data name: DisableAntiSpyware\r\n- Value type: 0x04 (REG_DWORD)\r\n- Data value: 0x01\r\nRansomware execution\r\nEgregor downloads custom dynamic link libraries (b.dll, q.dll, etc) using bitsadmin and execute them on victim’s systems to\r\nencrypt data.\r\nDLL download and execution\r\nProlock ransomware analysis\r\nInitial Access\r\nOne of the intrusion vectors is malspam. Indeed, Emotet is used to initiate infection on several user workstations and to\r\ndrop Qakbot. Emotet used legitimate documents after taking control of some user’s email accounts. These documents\r\ncontain a payload which tries to download a binary file from different URLs, as following. On infected systems, after the\r\nexecution of the binary retrieved by Emotet code, few files are created (typical Qakbot operation):\r\n\\AppData\\Roaming\\Microsoft\\Jfayae\\vatgrcxt.exe\r\n\\koyxogldypnalvvlyxpw.exe\r\n\\AdFind.exe\r\nCode embedded in the malicious document\r\nPowershell payload (decoded from base64)\r\nDeobfuscated powershell code (used to download F889k6.exe)\r\nUnfortunately, we were not able to retrieve F889k6.exe neither from compromised systems nor from URLs, which were\r\nalready down by that time.\r\nInternal reconnaissance\r\nProlock proceeds to Active Directory reconnaissance AdFind tool to gather information about users, groups, computers so as\r\nto prepare exfiltration and ransomware execution.\r\nPrivilege escalation\r\nDuring investigations, Prolock compromises Active Directory in order to become domain admin.\r\nhttps://www.intrinsec.com/egregor-prolock/\r\nPage 2 of 7\n\nLateral movement\r\nProlock uses batch scripts to enable RDP on targeted hosts. We found the script below during one of our cases. The same\r\nscript has already be found on Prolock cases.\r\nFollowing actions are performed by the script:\r\nEnable Remote Desktop connections by setting fDenyConnections to 0.\r\nStart Microsoft Protection Service.\r\nSet a rule in Windows firewall to activate RDP service.\r\nModify RDP-Tcp registry key.\r\nrdp.bat script (enable RDP connections)\r\nData exfiltration\r\nWe did not see any use of RClone during incident responses involving Prolock.\r\nRansomware execution\r\nProlock uses different scripts and files to encrypt victim’s data. It retrieves all these files from 185.238.0[.]233, the latter\r\nhosting as well Egregor dynamic link libraries. The first script wmi_md.bat (wmi_u.bat works the same way) proceeds the\r\nfollowing actions on each host whose IP address is in the file list_md.txt (or list_u.txt):\r\nConnect to the host using a compromised account\r\nDrop connect.bat and office.txt on the host\r\nExecute connect.bat using WMI command-line\r\nWrite host IP address in log.dat file\r\nCancel the network connection\r\nScript deploying ransomware on information system (wmi_md.bat)\r\nIn addition, we found a script that uses bitsadmin to download office.txt and connect.bat from 185.238.0[.]233.\r\nCode from eb1.bat\r\nThe script connect.bat contains the following encoded powershell payload.\r\nPowershell payload from connect.bat\r\nAfter decoding and deobfuscating it, we got to know that it is used to load office.txt in memory and execute it.\r\nDecoded and deobfuscated payload\r\nOffice.txt analysis is not yet complete, but we believe that it is the ransomware, based on system events correlation.\r\nRelations between Egregor \u0026 Prolock\r\nDuring recent investigations, we observed common indicators of compromise and techniques between Egregor and Prolock.\r\nThese common points are presented below:\r\nThe IP address 185.238.0[.]233 hosts both Egregor’s dynamic link libraries and Prolock files (especially scripts used\r\nto run the ransomware). You can find more information about Prolock TTP in the next section.\r\nBoth WIN-799RI0TSTOF and WIN-4K804V6ADVQ hostnames of potential VPS have been seen during Prolock and\r\nEgregor cases.\r\nlist_md.txt and list_u.txt files were involved in both Egregor and Prolock cases (of course, their content depends on\r\nthe victim’s information system).\r\nThe use of bitsadmin in eb*.bat scripts to download dll (Egregor) or scripts (Prolock) is another common point\r\nbetween these threat actors.\r\nmd.exe binary has been seen on both Egregor and Prolock cases.\r\nEven if we did not notice exfiltration using RClone in our Prolock cases, we know that this threat actor uses it[2].\r\nhttps://www.intrinsec.com/egregor-prolock/\r\nPage 3 of 7\n\nTimeline of incident responses involving Prolock and Egregor insisting on common indicators of compromise\r\nIndicators of compromise\r\nIncident response\r\nBinaries\r\nFile\r\nSize\r\n(bytes)\r\nMD5 SHA1 SHA256\r\nmd.exe\r\n4516928\r\n4183104\r\n5ed9fb5fc74c6fdb3537629e9b23437a\r\nN/A\r\n67424175620be87fd3b2810ba5eba0d9e0bee49f\r\n7e0018e18f6bd230366a2b6f031c52ee8899f8dc\r\nfec51f04710e\r\nN/A\r\nsvchost.exe 42043904 4a97c4345aabf9dd922d29687c95ac66 f54bf6a4c6f7c3d0077d152a094e3c7738cf0bd1 5bc506b9f61\r\nmain_target1.exe 4516416 a3e1ea9438e293ec8fae62c39ea3f0e4 e9581cb5161f10f5e99e0cb6c30c201e6e844676 089bb9d18b3\r\nb.dll 808960 a654b3a37c27810db180822b72ad6d3e d2d9484276a208641517a2273d96f34de1394b8e 4c9e3ffda0e6\r\nq.dll 784896 520ee511034717f5499fb66f9c0b76a5 3a33de9a84bbc76161895178e3d13bcd28f7d8fe a5989c480ec\r\nqymrkrr.exe N/A N/A N/A N/A\r\nfxmgwk.exe N/A N/A N/A N/A\r\ncthwiilhz.exe N/A N/A N/A N/A\r\nerkftj.exe N/A N/A N/A N/A\r\nc6d7790.exe N/A N/A N/A N/A\r\nc6d7790.exe N/A N/A N/A N/A\r\na31b29b.exe N/A N/A N/A N/A\r\ned53e67.exe N/A N/A N/A N/A\r\n3f2eb85.exe N/A N/A N/A N/A\r\nScripts\r\nFile\r\nSize\r\n(bytes)\r\nMD5 SHA1 SHA256\r\ne.bat\r\n156\r\n157\r\n7375083934dd17f0532da3bd6770ab25\r\nN/A\r\nac6d919b313bbb18624d26745121fca3e4ae0fd3\r\n1be22505a25f14fff1e116fafcaae9452be325b1\r\nf0adfd3f89c9268953\r\nN/A\r\neb.bat 58 N/A 9dacb159779d5e57798632bac74ae5b880cf1ec8 N/A\r\neb1.bat 253 3872e7caaede9ee1ce8f37435dcaf836 8f166dfeb2fd8780de0e3dbdb25d0fdb373f58de c9df055f380100a730\r\nconnect.bat 7004 6cebf3c01844520e8b27023d8f47a0ed f5b14cc494303c91456bb50e7816358b6766a5b8 bd1dba49596c04677\r\nwmi_u.bat 421 9deca294973f6d52f9506240b104079c f098e6931eb32f9d28f681ad6fd2716a65b7f140 87a699923f3edeb6ce\r\nwmi_md.bat 416 463d45502447c7aa58538159eccc1a1a 4bad78fccfc69f4f9ac619dd9a8a9f70c3cc3ed0 a9d3c1d779550b003\r\nrdp.bat 329 dc1aafc01b5068eef6c2ed4cfd6864ed eb43350337138f2a77593c79cee1439217d02957 ac49c114ef137cc198\r\nOther files\r\nFile\r\nSize\r\n(bytes)\r\nSHA1\r\nsvchost.conf 155 bae4323aa7fa3e4de9ab021d72ecd84de795351b\r\noffice.txt 30608 4769a775fd4a2c29b433736a59dc4277354a54f2\r\nlist_u.txt\r\n4560\r\n9269\r\n3b59fdff922497dc24d7cec0b219e93334e81221\r\n33c776f25ed3bb6011bfe96c13467815fb993289\r\nhttps://www.intrinsec.com/egregor-prolock/\r\nPage 4 of 7\n\nlist_md.txt\r\n4773\r\n9633\r\n1a3c149a2720f001a0a475ae978114090f3ed720\r\naaf4374400c63b0dae41f67bd90cd2ebb2c159db\r\nlist3.txt 4560 3b59fdff922497dc24d7cec0b219e93334e81221\r\n[HOW TO\r\nRECOVER\r\nFILES].TXT\r\n1085 620311402640b1547d59722b63f19fab082a57af\r\nRECOVER-FILES.txt\r\nN/A N/A\r\nC2 Domain names\r\namajai-technologies[.]network\r\namajai-technologies[.]industries\r\nIP adresses\r\nIP addresses hosting dll and scripts:\r\n185.238.0[.]233\r\n45.153.242[.]129\r\nServer using for potential data exfiltration\r\n93.190.140[.]75\r\nIP addresses communicating with infected systems through CobaltStrike\r\n23.254.229[.]82\r\n192.236.209[.]151\r\nPotential VPS IP addresses\r\n217.138.219[.]138\r\n185.212.170[.]158\r\n23.106.215[.]67\r\nPotential VPS Hostnames\r\nWIN-799RI0TSTOF\r\nWIN-4K804V6ADVQ\r\nDESKTOP-LHC2KTF\r\nDESKTOP-93VHU8M\r\nThreat Intelligence\r\nUsing IOC collected during incident responses, we hunted some other Egregor files, especially from 185.238.0[.]233. We\r\nfound similar dynamic link libraries (a.dll, p.dll, etc), as well as the RClone configuration file we presented in section “Data\r\nExfiltration“.\r\nFile Size (bytes) SHA1\r\nb.dll 808960 d2d9484276a208641517a2273d96f34de1394b8e\r\nhnt.dll 498688 38c88de0ece0451b0665f3616c02c2bad77a92a2\r\nkk.dll 498176 09d8c91ccefd699fb5ac1aaebeeebee25170fe1a\r\np.dll 784896 8768cf56e12a81d838e270dca9b82d30c35d026e\r\np.dll 500224 fafd32e972ebb33b187bfb1ebf1a6ecb1d2d7239\r\nsed.dll 806400 b7170443ea2b73bca3d16958712ee57cb4869d5b\r\nCobaltStrike C2 Domain names[3]\r\natakai-technologies[.]space\r\natakai-technologies[.]website\r\natakai-technologies[.]host\r\natakai-technologies[.]online\r\natakai-technologies[.]work\r\nakamai-technologies[.]host\r\nhttps://www.intrinsec.com/egregor-prolock/\r\nPage 5 of 7\n\nakamai-technologies[.]site\r\nakamai-technologies[.]space\r\nakamai-technologies[.]digital\r\nakamai-technologies[.]website\r\nakamai-technologies[.]online\r\namajai-technologies[.]host\r\namajai-technologies[.]website\r\namajai-technologies[.]network\r\namajai-technologies[.]digital\r\namajai-technologies[.]space\r\namajai-technologies[.]tech\r\namajai-technologies[.]industries\r\namamai-tecnologies[.]space\r\namamai-tecnologies[.]cloud\r\namamai-tecnologies[.]digital\r\namatai-technologies[.]website\r\namatai-technologies[.]digital\r\namatai-technologies[.]space\r\namatai-technologies[.]site\r\nMITRE ATT\u0026CK\r\nProlock\r\nTactic Technique\r\nInitial Access Phishing (T1566): Spearphishing attachment (T1566.001)\r\nExecution\r\nUser Execution (T1204): Malicious File (T1204.002) Windows Management\r\nInstrumentation (T1047)\r\nPersistence Scheduled Task/Job (T1053): Scheduled Task (T1053.005) Valid Accounts (T1078)\r\nDiscovery\r\nAccount Discovery (T1087) Domain Trust Discovery (T1482) Permission Groups\r\nDiscovery (T1069): Domain Groups (T1069.001)\r\nLateral\r\nMovement\r\nRemote Services (T1021): Remote Desktop Protocol (T1021.001) Valid Accounts\r\n(T1078)\r\nCommand and\r\nControl\r\nIngress Tool Transfert (T1105)\r\nImpact Data encrypted for impact (T1486)\r\nEgregor\r\nTactic Technique\r\nExecution\r\nScheduled Task/Job (T1053): Scheduled Task (T1053.005) Services Execution\r\n(T1569): Service Execution (T1569.002) Windows Management Instrumentation\r\n(T1047)\r\nPersistence Create or modify system process (T1543): Windows Service (T1543.003)\r\nDefense Evasion Impair Defenses (T1562): Disable or modify tools (T1562.001)\r\nDiscovery\r\nAccount Discovery (T1087) Domain Trust Discovery (T1482) Permission Groups\r\nDiscovery (T1069): Domain Groups (T1069.001)\r\nLateral\r\nMovement\r\nRemote Services (T1021): SMB/Windows Admin Shares (T1021.002)\r\nCommand and\r\nControl\r\nApplication Layer Protocol (T1071)\r\nExfiltration Exfiltration over web service (T1567): Exfiltration to Cloud Storage (T1567.002)\r\nImpact Data encrypted for impact (T1486)\r\nhttps://www.intrinsec.com/egregor-prolock/\r\nPage 6 of 7\n\nReferences\r\nCyberChef recipe to deobfuscate CobaltStrike payloads : [1] https://github.com/mattnotmax/cyberchef-recipes#recipe-28—\r\nde-obfuscation-of-cobalt-strike-beacon-using-conditional-jumps-to-obtain-shellcode\r\nArticle from Group-IB about Prolock : [2]https://www.group-ib.com/blog/prolock\r\nCobaltStrike C2 List : [3]https://twitter.com/smoothimpact/status/1308033998371905538\r\nSource: https://www.intrinsec.com/egregor-prolock/\r\nhttps://www.intrinsec.com/egregor-prolock/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.intrinsec.com/egregor-prolock/" ], "report_names": [ "egregor-prolock" ], "threat_actors": [], "ts_created_at": 1775434182, "ts_updated_at": 1775791257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bd5b68797475c9c279c2f0f914c8d56fda9928f3.pdf", "text": "https://archive.orkl.eu/bd5b68797475c9c279c2f0f914c8d56fda9928f3.txt", "img": "https://archive.orkl.eu/bd5b68797475c9c279c2f0f914c8d56fda9928f3.jpg" } }