mespinoza | 5fa8c4ab6dc45672099078277903cce8e86ae1e310f24a0dd9862166e3c0e30c

Resubmissions

05-02-2025 10:34

250205-mmassssng1 10

05-02-2025 10:33

250205-mlx7pssnfz 10

13-01-2022 17:53

220113-wgrc2abhgp 10

Sharing

Copy URL

Twitter E-mail

General

Target

scvhost.exe
Size

500KB
Sample

250205-mlx7pssnfz
MD5

e04becb4c8ff826e5e5aa305dee074bc
SHA1

07bf49663c9c76e4a468a98f2fe3a55977432a39
SHA256

5fa8c4ab6dc45672099078277903cce8e86ae1e310f24a0dd9862166e3c0e30c
SHA512

cb4c086df9395d1ebc68cc576d241e584c454e45db5365ed2196f0529cb6c2cad70b0f061e7fced4d980f10aabf8829f6e69602be8e086f73d9c1aa7d4d48fa2
SSDEEP

12288:uKWAb1TS+OeO+OeNhBBhhBB8dBwD9EX1hQvuqN/4fsw86:uKWe+dBk9EFO7NQh

Score

10^/10

Malware Config

Extracted

Family

mespinoza

Attributes

ransomnote
Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/ To go to our site you have to use TOR Browser. Download link: https://www.torproject.org/download/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What if I have no response? A: Wait and we will answer you in 24 hours. 4. Q: What to tell my boss? A: Protect Your System Amigo.

Extracted

Path

C:\Users\Readme.README

Ransom Note

Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/ To go to our site you have to use TOR Browser. Download link: https://www.torproject.org/download/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What if I have no response? A: Wait and we will answer you in 24 hours. 4. Q: What to tell my boss? A: Protect Your System Amigo.

Emails

[email protected]

URLs

http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/

Targets

- Target
  
  scvhost.exe
- Size
  
  500KB
- MD5
  
  e04becb4c8ff826e5e5aa305dee074bc
- SHA1
  
  07bf49663c9c76e4a468a98f2fe3a55977432a39
- SHA256
  
  5fa8c4ab6dc45672099078277903cce8e86ae1e310f24a0dd9862166e3c0e30c
- SHA512
  
  cb4c086df9395d1ebc68cc576d241e584c454e45db5365ed2196f0529cb6c2cad70b0f061e7fced4d980f10aabf8829f6e69602be8e086f73d9c1aa7d4d48fa2
- SSDEEP
  
  12288:uKWAb1TS+OeO+OeNhBBhhBB8dBwD9EX1hQvuqN/4fsw86:uKWe+dBk9EFO7NQh
Score

10^/10

mespinoza discovery ransomware spyware stealer
- Mespinoza Ransomware
  Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
  ransomware mespinoza
- Mespinoza family
  mespinoza
- Renames multiple (2569) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7 behavioral8 behavioral9