Overview

overview

10

Static

static

10

2025-02-06...za.exe

windows7-x64

10

2025-02-06...za.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza

  • Size

    500KB

  • Sample

    250206-zkgjsawnhz

  • MD5

    4dc8cae2cfff6ac862aea48b014937bb

  • SHA1

    80486ca4caa5cb4ce42885dcd66d7a1b4a27d5ce

  • SHA256

    ab0774b4ac9eb7e50c82abad03293ae39b668e81712b6ceb0d35ffe7e330881b

  • SHA512

    79eb56d858b21743ca565d22bb56cd3d8e4ecfdf462f03124672dca090c95ca51f8908f8dea22c3631dddba0a1a2bf443f41fdf8bf70e826335bcc56d0def47d

  • SSDEEP

    12288:YLrjOlAQS+OeO+OeNhBBhhBBYIeVZkD097u8HvaEs1Mm7Q:YLrjSGtVGD05u4yVMm

Score
10/10
mespinozadiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Readme.README

Ransom Note
Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.
URLs

http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/

Targets

    • Target

      2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza

    • Size

      500KB

    • MD5

      4dc8cae2cfff6ac862aea48b014937bb

    • SHA1

      80486ca4caa5cb4ce42885dcd66d7a1b4a27d5ce

    • SHA256

      ab0774b4ac9eb7e50c82abad03293ae39b668e81712b6ceb0d35ffe7e330881b

    • SHA512

      79eb56d858b21743ca565d22bb56cd3d8e4ecfdf462f03124672dca090c95ca51f8908f8dea22c3631dddba0a1a2bf443f41fdf8bf70e826335bcc56d0def47d

    • SSDEEP

      12288:YLrjOlAQS+OeO+OeNhBBhhBBYIeVZkD097u8HvaEs1Mm7Q:YLrjSGtVGD05u4yVMm

    Score
    10/10
    mespinozadiscoveryransomwarespywarestealer

    • Mespinoza Ransomware

      Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

      ransomwaremespinoza

    • Mespinoza family

      mespinoza

    • Renames multiple (2693) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks