4dc802894c45ec4d119d002a7569be6c99a9bba732d0057364da9350f9d3659b.bin

General
Target

4dc802894c45ec4d119d002a7569be6c99a9bba732d0057364da9350f9d3659b.bin

Size

500KB

Sample

210105-re1v9glf3s

Score
10 /10
MD5

83e1ca89bcd55a87f826bc6901ff7f3e

SHA1

d0db4d232331234f0c430008a4320c0dea993c20

SHA256

4dc802894c45ec4d119d002a7569be6c99a9bba732d0057364da9350f9d3659b

SHA512

9d76d71119fa3256eb25fda06c54f1a51d547177156847ae140176868eb0d7ad41619e6bcb6dd24b523ef58cb3d5e3619172fc6868e1290fc3e956a6e136e6bc

Malware Config

Extracted

Family mespinoza
Attributes
ransomnote
Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: elainaroneal@onionmail.org hayleycandler@onionmail.org victoriasadlier@protonmail.com Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://wqmfzni2nvbbpk25.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.
Targets
Target

4dc802894c45ec4d119d002a7569be6c99a9bba732d0057364da9350f9d3659b.bin

MD5

83e1ca89bcd55a87f826bc6901ff7f3e

Filesize

500KB

Score
10 /10
SHA1

d0db4d232331234f0c430008a4320c0dea993c20

SHA256

4dc802894c45ec4d119d002a7569be6c99a9bba732d0057364da9350f9d3659b

SHA512

9d76d71119fa3256eb25fda06c54f1a51d547177156847ae140176868eb0d7ad41619e6bcb6dd24b523ef58cb3d5e3619172fc6868e1290fc3e956a6e136e6bc

Tags

Signatures

  • Mespinoza Ransomware

    Description

    Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

    Tags

    TTPs

    Query Registry Data Encrypted for Impact
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation
                Tasks

                static1

                10/10