General

  • Target

    pys_d751f5436518.exe

  • Size

    500KB

  • Sample

    220210-w3hb9aaffp

  • MD5

    d751f54365181f544f908cc9ae3c91c5

  • SHA1

    51cbc9455b7781cf0529f299631e59016fe52e95

  • SHA256

    af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8

  • SHA512

    04497dcac535c18247b13634db35a3a53369719696e700ff2c45637c616f6932ba22ddad2e3925055c92e5922f38c34f09ce8d87106f894a7a586ad0d41e6d33

Malware Config

Extracted

Family

mespinoza

Attributes
  • ransomnote

    Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://wqmfzni2nvbbpk25.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Targets

    • Target

      pys_d751f5436518.exe

    • Size

      500KB

    • MD5

      d751f54365181f544f908cc9ae3c91c5

    • SHA1

      51cbc9455b7781cf0529f299631e59016fe52e95

    • SHA256

      af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8

    • SHA512

      04497dcac535c18247b13634db35a3a53369719696e700ff2c45637c616f6932ba22ddad2e3925055c92e5922f38c34f09ce8d87106f894a7a586ad0d41e6d33

    • Mespinoza Ransomware

      Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks