General

  • Target

    0433efd9ba06378eb6eae864c85aafc8b6de79ef6512345294e9e379cc054c3d.bin.sample

  • Size

    500KB

  • Sample

    211217-mqtp3secbq

  • MD5

    0e20d8b10b555b3bc2711bb878a02cab

  • SHA1

    598da6d3ac08e21c39807fffabd2f597edb4cbb8

  • SHA256

    0433efd9ba06378eb6eae864c85aafc8b6de79ef6512345294e9e379cc054c3d

  • SHA512

    442ab7bbec38a1b69261b8266e16001e1d8ae49297b95f72508bc41a18ebd822b9fa36caf1a4195dae8333becd072bb0cc4588ed3068a4cd4848d90a403b1c27

Malware Config

Extracted

Family

mespinoza

Attributes
  • ransomnote

    Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/ To go to our site you have to use TOR Browser. Download link: https://www.torproject.org/download/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What if I have no response? A: Wait and we will answer you in 24 hours. 4. Q: What to tell my boss? A: Protect Your System Amigo.

Targets

    • Target

      0433efd9ba06378eb6eae864c85aafc8b6de79ef6512345294e9e379cc054c3d.bin.sample

    • Size

      500KB

    • MD5

      0e20d8b10b555b3bc2711bb878a02cab

    • SHA1

      598da6d3ac08e21c39807fffabd2f597edb4cbb8

    • SHA256

      0433efd9ba06378eb6eae864c85aafc8b6de79ef6512345294e9e379cc054c3d

    • SHA512

      442ab7bbec38a1b69261b8266e16001e1d8ae49297b95f72508bc41a18ebd822b9fa36caf1a4195dae8333becd072bb0cc4588ed3068a4cd4848d90a403b1c27

    • Mespinoza Ransomware

      Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks