General

  • Target

    scvhost.exe

  • Size

    500KB

  • Sample

    220113-wgrc2abhgp

  • MD5

    e04becb4c8ff826e5e5aa305dee074bc

  • SHA1

    07bf49663c9c76e4a468a98f2fe3a55977432a39

  • SHA256

    5fa8c4ab6dc45672099078277903cce8e86ae1e310f24a0dd9862166e3c0e30c

  • SHA512

    cb4c086df9395d1ebc68cc576d241e584c454e45db5365ed2196f0529cb6c2cad70b0f061e7fced4d980f10aabf8829f6e69602be8e086f73d9c1aa7d4d48fa2

Malware Config

Extracted

Family

mespinoza

Attributes
  • ransomnote

    Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/ To go to our site you have to use TOR Browser. Download link: https://www.torproject.org/download/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What if I have no response? A: Wait and we will answer you in 24 hours. 4. Q: What to tell my boss? A: Protect Your System Amigo.

Targets

    • Target

      scvhost.exe

    • Size

      500KB

    • MD5

      e04becb4c8ff826e5e5aa305dee074bc

    • SHA1

      07bf49663c9c76e4a468a98f2fe3a55977432a39

    • SHA256

      5fa8c4ab6dc45672099078277903cce8e86ae1e310f24a0dd9862166e3c0e30c

    • SHA512

      cb4c086df9395d1ebc68cc576d241e584c454e45db5365ed2196f0529cb6c2cad70b0f061e7fced4d980f10aabf8829f6e69602be8e086f73d9c1aa7d4d48fa2

    • Mespinoza Ransomware

      Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks