General

  • Target

    7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14.bin.zip

  • Size

    229KB

  • Sample

    220423-hct2gaagh3

  • MD5

    1cc5f4eb3a50bc7a578852df749c63c5

  • SHA1

    5beb0009be9fd282d0019422681ab5ca82cf1679

  • SHA256

    f588c70c6249d60a371a6927bc0a635abd6ffe9b409eca37a6529cd6385f0672

  • SHA512

    dedf96300d551eef9349ac5c0b98308aa22e53dadd7dcabc61b71a2acde970abc1323a9e1c69b557853d446db90c468f1e0b9b33a72c107de2717871d2f8af97

Malware Config

Extracted

Family

mespinoza

Attributes
  • ransomnote

    Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/ To go to our site you have to use TOR Browser. Download link: https://www.torproject.org/download/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What if I have no response? A: Wait and we will answer you in 24 hours. 4. Q: What to tell my boss? A: Protect Your System Amigo.

Targets

    • Target

      7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14.bin

    • Size

      500KB

    • MD5

      dfe4dcc5c1ecd6cc9fea2373c672c326

    • SHA1

      11e399bed1a2e4ac51dfbae16a21f1adaff7c95f

    • SHA256

      7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14

    • SHA512

      9f9e43601a88c386026d58e0f95785a97d86b228dbe5bb168dec90297c0480d8ba9aa07bdd92b90b0033dd098c2f1da17c72a1b05678fb2d6db43b254dbb1523

    • Mespinoza Ransomware

      Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks