General

  • Target

    7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14.bin

  • Size

    500KB

  • Sample

    211110-a2cvgsgad5

  • MD5

    dfe4dcc5c1ecd6cc9fea2373c672c326

  • SHA1

    11e399bed1a2e4ac51dfbae16a21f1adaff7c95f

  • SHA256

    7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14

  • SHA512

    9f9e43601a88c386026d58e0f95785a97d86b228dbe5bb168dec90297c0480d8ba9aa07bdd92b90b0033dd098c2f1da17c72a1b05678fb2d6db43b254dbb1523

Malware Config

Extracted

Family

mespinoza

Attributes
  • ransomnote

    Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: kardalkareefhaddad@onionmail.org Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/ To go to our site you have to use TOR Browser. Download link: https://www.torproject.org/download/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What if I have no response? A: Wait and we will answer you in 24 hours. 4. Q: What to tell my boss? A: Protect Your System Amigo.

Targets

    • Target

      7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14.bin

    • Size

      500KB

    • MD5

      dfe4dcc5c1ecd6cc9fea2373c672c326

    • SHA1

      11e399bed1a2e4ac51dfbae16a21f1adaff7c95f

    • SHA256

      7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14

    • SHA512

      9f9e43601a88c386026d58e0f95785a97d86b228dbe5bb168dec90297c0480d8ba9aa07bdd92b90b0033dd098c2f1da17c72a1b05678fb2d6db43b254dbb1523

    • Mespinoza Ransomware

      Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Impact

Data Encrypted for Impact

1
T1486

Tasks