MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4287e9708a73ce6a9b7a3e7c72462b01f7cc3c595d972cf2984185ac1a3a4a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mespinoza


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4287e9708a73ce6a9b7a3e7c72462b01f7cc3c595d972cf2984185ac1a3a4a8
SHA3-384 hash: 1559fbadd5c2d60801c78506621bb21b65bd487b0e3bd6a386a24664f89e18e5d4af124de49eba4928bdf8fab5da2cc3
SHA1 hash: 425209b891142704462baf14048d0dd59d0c7561
MD5 hash: eec3730b2b99f6fb23134d79681f5122
humanhash: friend-johnny-mountain-maine
File name:e4287e9708a73ce6a9b7a3e7c72462b01f7cc3c595d972cf2984185ac1a3a4a8.bin
Download: download sample
Signature Mespinoza
Create hunting rule
File size:512'000 bytes
First seen:2020-11-25 00:49:31 UTC
Last seen:2021-04-08 05:06:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b5e8bd2552848bb7bf2f28228d014742 (21 x Mespinoza)
ssdeep 12288:2fClmGO4Ih+OeO+OeNhBBhhBB8TRWClfSlKmkzsDWhTsuqq:oClmppTRWChSlDkg6hrt
TLSH 6AB46C60B573D171C86294F94D3DFA4A742DAC980F668BFBB3DC262D1A750C01B32EA5
Reporter Arkbird_SOLG
Tags:Mespinoza PYSA Ransomware

Intelligence

File Origin
# of uploads :
3
# of downloads :
2'971
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Moving a file to the Program Files subdirectory
Changing a file
Sending a UDP request
Moving a file to the %AppData% subdirectory
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mespinoza
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/546514
Signature
Antivirus / Scanner detection for submitted sample
Creates files in the recycle bin to hide itself
Found Tor onion address
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Yara detected Mespinoza ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4287e9708a73ce6a9b7a3e7c72462b01f7cc3c595d972cf2984185ac1a3a4a8/
Threat name:
Win32.Ransomware.Mespinoza
Create hunting rule
Status:
Malicious
First seen:
2020-10-17 23:04:55 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
ransomware spyware
Link:
https://tria.ge/reports/201125-gybfy944n2/
Behaviour
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Program Files directory
Drops file in Windows directory
Deletes itself
Reads user/profile data of web browsers
Modifies extensions of user files
Unpacked files
SH256 hash:
e4287e9708a73ce6a9b7a3e7c72462b01f7cc3c595d972cf2984185ac1a3a4a8
MD5 hash:
eec3730b2b99f6fb23134d79681f5122
SHA1 hash:
425209b891142704462baf14048d0dd59d0c7561
Detections:
win_mespinoza_auto
Create hunting rule
Link:
https://www.unpac.me/results/3ede9ef9-4ae0-430a-9d42-aabcadcc9acf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4287e9708a73ce6a9b7a3e7c72462b01f7cc3c595d972cf2984185ac1a3a4a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_mespinoza_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments