931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43

General
Target

931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43

Size

500KB

Sample

210408-dyxmbfkmtn

Score
10 /10
MD5

3f558a6a53c72b726b42d21fa1faaf83

SHA1

6f5f822260e4deaa859f3f17e81d9349950d9e34

SHA256

931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43

SHA512

932442ae873bdd196142d9fc023d8c7ca05eeb55f728aa78dd451aaae5e35c13e701a3ca17bd8d79b8f924901677668275d325e7182d40f71e9b931a7ad568cd

Malware Config

Extracted

Family mespinoza
Attributes
ransomnote
Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: AndrianosAbarca@onionmail.org AndrianiAbel@onionmail.org AdrianiAgua@protonmail.com Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://wqmfzni2nvbbpk25.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.
Targets
Target

931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43

MD5

3f558a6a53c72b726b42d21fa1faaf83

Filesize

500KB

Score
10 /10
SHA1

6f5f822260e4deaa859f3f17e81d9349950d9e34

SHA256

931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43

SHA512

932442ae873bdd196142d9fc023d8c7ca05eeb55f728aa78dd451aaae5e35c13e701a3ca17bd8d79b8f924901677668275d325e7182d40f71e9b931a7ad568cd

Tags

Signatures

  • Mespinoza Ransomware

    Description

    Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

    Tags

    TTPs

    Query Registry Data Encrypted for Impact
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation
                Tasks

                static1

                10/10