mespinoza | 8b4b233e87c61c8698e086b376da640c9ab2ecd71c58b1f6a2eceb60b7e1a691 | Triage

Sharing

General

Target

8b4b233e87c61c8698e086b376da640c9ab2ecd71c58b1f6a2eceb60b7e1a691
Size

500KB
Sample

220305-1zrtqsbahp
MD5

dc82cd73d0738cfe2e49c499c2fa631e
SHA1

81d1497490ee1ae20b2c87dff48cee31cdc4466f
SHA256

8b4b233e87c61c8698e086b376da640c9ab2ecd71c58b1f6a2eceb60b7e1a691
SHA512

6f67d86d4edb2ca0a31b2f206de7d1f6783124f30fedd527a2edf25efe6d885a5e64c8981dfbb91ab75dfa7213bc91465884ffb56747bb373911311c1c66f57d

Score

10^/10

mespinoza ransomware spyware stealer

Malware Config

Extracted

Family

mespinoza

Attributes

ransomnote
Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://wqmfzni2nvbbpk25.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Targets

- Target
  
  8b4b233e87c61c8698e086b376da640c9ab2ecd71c58b1f6a2eceb60b7e1a691
- Size
  
  500KB
- MD5
  
  dc82cd73d0738cfe2e49c499c2fa631e
- SHA1
  
  81d1497490ee1ae20b2c87dff48cee31cdc4466f
- SHA256
  
  8b4b233e87c61c8698e086b376da640c9ab2ecd71c58b1f6a2eceb60b7e1a691
- SHA512
  
  6f67d86d4edb2ca0a31b2f206de7d1f6783124f30fedd527a2edf25efe6d885a5e64c8981dfbb91ab75dfa7213bc91465884ffb56747bb373911311c1c66f57d
Score

10^/10

mespinoza ransomware spyware stealer
- Mespinoza Ransomware
  Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
  ransomware mespinoza
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Tasks

static1

behavioral1

mespinozaransomwarespywarestealer

behavioral2

mespinozaransomwarespywarestealer