mespinoza | ab0774b4ac9eb7e50c82abad03293ae39b668e81712b6ceb0d35ffe7e330881b

Resubmissions

05-02-2025 10:17

250205-mbfjxatlhr 10

05-02-2025 10:16

250205-ma5gmstlgq 10

21-12-2022 10:49

221221-mwyafsfc8z 10

Sharing

Copy URL

Twitter E-mail

General

Target

svchost.ex_
Size

500KB
Sample

250205-mbfjxatlhr
MD5

4dc8cae2cfff6ac862aea48b014937bb
SHA1

80486ca4caa5cb4ce42885dcd66d7a1b4a27d5ce
SHA256

ab0774b4ac9eb7e50c82abad03293ae39b668e81712b6ceb0d35ffe7e330881b
SHA512

79eb56d858b21743ca565d22bb56cd3d8e4ecfdf462f03124672dca090c95ca51f8908f8dea22c3631dddba0a1a2bf443f41fdf8bf70e826335bcc56d0def47d
SSDEEP

12288:YLrjOlAQS+OeO+OeNhBBhhBBYIeVZkD097u8HvaEs1Mm7Q:YLrjSGtVGD05u4yVMm

Score

10^/10

Malware Config

Extracted

Family

mespinoza

Attributes

ransomnote
Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Extracted

Path

C:\Users\Readme.README

Ransom Note

Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Emails

[email protected]

URLs

http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/

Targets

- Target
  
  svchost.ex_
- Size
  
  500KB
- MD5
  
  4dc8cae2cfff6ac862aea48b014937bb
- SHA1
  
  80486ca4caa5cb4ce42885dcd66d7a1b4a27d5ce
- SHA256
  
  ab0774b4ac9eb7e50c82abad03293ae39b668e81712b6ceb0d35ffe7e330881b
- SHA512
  
  79eb56d858b21743ca565d22bb56cd3d8e4ecfdf462f03124672dca090c95ca51f8908f8dea22c3631dddba0a1a2bf443f41fdf8bf70e826335bcc56d0def47d
- SSDEEP
  
  12288:YLrjOlAQS+OeO+OeNhBBhhBBYIeVZkD097u8HvaEs1Mm7Q:YLrjSGtVGD05u4yVMm
Score

10^/10

mespinoza discovery ransomware spyware stealer
- Mespinoza Ransomware
  Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
  ransomware mespinoza
- Mespinoza family
  mespinoza
- Renames multiple (2686) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7 behavioral8 behavioral9