gofing | 55177243179930b753017f881920032df2d371697b43ee32e538f55a59ac40bd

Analysis

max time kernel
137s
max time network
138s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Size

4.2MB
MD5

798f4ea105c93bccc7a4dd2993088976
SHA1

650f099bc9c65865c4025568c919e65648144491
SHA256

55177243179930b753017f881920032df2d371697b43ee32e538f55a59ac40bd
SHA512

11091dbb75d54f1d8eb966fac089458338fce926ed6a1a953cdecb751a470045505edd2dd7149e2f16040e8186744c6570adc71a59afba2cabf565b5a97d91fc
SSDEEP

49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4R:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vv

Score

10^/10

gofing ransomware

Malware Config

Signatures

Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
ransomware gofing
Gofing family
gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 1 IoCs

resource	yara_rule
behavioral1/files/0x0002000000010486-4.dat	family_gofing

Drops desktop.ini file(s) 10 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\desktop.ini	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DissolveNoise.png	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\bin\jp2ssv.dll	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Internet Explorer\en-US\F12.dll.mui	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Creston	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdiracsys_plugin.dll	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\settings.css	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\net.properties	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\Office14\VISSHE.DLL	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Media Player\fr-FR\wmpnetwk.exe.mui	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows NT\TableTextService\de-DE\TableTextService.dll.mui	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\bin\wsdetect.dll	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\Welcome.html	2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll

Filesize
5.3MB

MD5
adb0f34c4164bf23b1228af907f099ce

SHA1
0a8102507dbffdbad699b54d7b8023753546e11a

SHA256
01dfe692bebaba2b9328bb94a632da818ac6831b231513eae582bae41081202f

SHA512
cf689bcd21f4213568c12ada53d269c559f7b0003c0f3604c8f4aacbd5b3dddbd344f3edff45fe1129eccc7bc7d01077370aff74b6d4d78320c22d2295a032b8

Download Submit