Overview

overview

10

Static

static

10

2025-03-30...ch.exe

windows7-x64

10

2025-03-30...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    798f4ea105c93bccc7a4dd2993088976

  • SHA1

    650f099bc9c65865c4025568c919e65648144491

  • SHA256

    55177243179930b753017f881920032df2d371697b43ee32e538f55a59ac40bd

  • SHA512

    11091dbb75d54f1d8eb966fac089458338fce926ed6a1a953cdecb751a470045505edd2dd7149e2f16040e8186744c6570adc71a59afba2cabf565b5a97d91fc

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4R:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vv

Score
10/10
gofingcredential_accessdiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    ransomwaregofing
  • Gofing family
    gofing
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 8 IoCs
  • Renames multiple (51) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Loads dropped DLL 54 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-30_798f4ea105c93bccc7a4dd2993088976_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:2376
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:6000
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2264
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:5468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip32.dll
    Filesize

    4.2MB

    MD5

    93340499916985276d25c231b3a28fc3

    SHA1

    0546c703c4181ccfa9b625ada2fb1b811cc5f638

    SHA256

    46c25a46ed372bf71770a47789803d767d3cd8abb443c473f3ff03f194b4e655

    SHA512

    e9829c55f7aa4704376b3d53eea40e89516191f8b63ba260df5750abc06a24e3c100134f203b510291603e230c46250fca70e543212f6f5c4f90c2e6107fc6b3

    Download Submit

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
    Filesize

    5.8MB

    MD5

    40e803418172311bc8f36c0b131c1f64

    SHA1

    899ceeef58d8b065fc8f0a2d897afb4601afe1d8

    SHA256

    1911663488ff6beecd006dba4a9056f3ab6e99d41bd6cb02e374ff1f9196a6fa

    SHA512

    f94b919ca422767e9bcfdf63a076acdf20d3582e1028139cc17110c291efa9fc6068e42f64143f8d0410d173d8257833901d4c0fcf85650c60a1c71720d79679

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4SYNGCCS\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    6d17534a0db982351137005fa6a7151e

    SHA1

    64fa1b1c32dc38667bea9e6383a5384f083e342c

    SHA256

    c1227471a38cb5a85f639fcbb0e9201f4c3c080180b4eac3d7e82cc30948b2c4

    SHA512

    b64c844e42f880293aa080c52f9635d7b7bf12a001692438bd184b6a6be989fcbae0e98ede275ebddae75e2ae5cfb2cfa055d366760bfb9e2ba78da0f0f0d915

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4SYNGCCS\microsoft.windows[1].xml
    Filesize

    96B

    MD5

    187aef5494bc70837ddc920050a7ded3

    SHA1

    0f8687a43b33e7914bab92b974ac2708364d82ab

    SHA256

    ddfbb5fb33531533b977c88c065661b955bf80110414c64218740f70df287c73

    SHA512

    6b80880004a0b48d6a3d60b3bade01738ef81df6eb1ab6b2fdce786cc1bc4636157bb6aa54a613054fdf1b1ee629dc46ac3e6b772644ab1ca17a2229abbcd0ec

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres
    Filesize

    2KB

    MD5

    8d49b5143a3de906971d34c235f9783b

    SHA1

    ac3b3090af597ef99d4424f068d42684fa181d4c

    SHA256

    c2a337c7d0ab2d78946a683946703432187847eca3e79f216103505789036d93

    SHA512

    17ef38a793f32463b5a3344058f819b77f8cc4e3a4ee3441b9b33ae2dde2a5b954afb979dcbab574117a8ad307bdfcf1c5bc303d83066c53252117bd1c2f9494

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{eb278a09-ff84-420f-b4d7-3bbe7f0e0608}\apps.csg
    Filesize

    444B

    MD5

    5475132f1c603298967f332dc9ffb864

    SHA1

    4749174f29f34c7d75979c25f31d79774a49ea46

    SHA256

    0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

    SHA512

    54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{eb278a09-ff84-420f-b4d7-3bbe7f0e0608}\apps.schema
    Filesize

    150B

    MD5

    1659677c45c49a78f33551da43494005

    SHA1

    ae588ef3c9ea7839be032ab4323e04bc260d9387

    SHA256

    5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

    SHA512

    740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{eb278a09-ff84-420f-b4d7-3bbe7f0e0608}\appsconversions.txt
    Filesize

    1.4MB

    MD5

    2bef0e21ceb249ffb5f123c1e5bd0292

    SHA1

    86877a464a0739114e45242b9d427e368ebcc02c

    SHA256

    8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

    SHA512

    f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{eb278a09-ff84-420f-b4d7-3bbe7f0e0608}\appsglobals.txt
    Filesize

    343KB

    MD5

    931b27b3ec2c5e9f29439fba87ec0dc9

    SHA1

    dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

    SHA256

    541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

    SHA512

    4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{eb278a09-ff84-420f-b4d7-3bbe7f0e0608}\appssynonyms.txt
    Filesize

    237KB

    MD5

    06a69ad411292eca66697dc17898e653

    SHA1

    fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

    SHA256

    2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

    SHA512

    ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133878331827691607.txt
    Filesize

    26KB

    MD5

    d2655ca9678bfda8467f7fa4905b4d24

    SHA1

    e0ccecd2719c42ed967d9fc2b4ed2ab30bafd378

    SHA256

    e2e1aea3ce75e5e1597c8928123bbf4679c86a71ed0a5edee110ddb9f29eff20

    SHA512

    36b6fbaaa1b6725261caf6694aed5c44a633de2fd09dee76a633a40f7830dd6231c316b5c93f7d93f34cca48713e3a416ec8cb4333e155c05e1489d8086803ef

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133878331943923720.txt
    Filesize

    14KB

    MD5

    b9a3570135c6cdac61e23a655424bb81

    SHA1

    b25c823b867b820fa34e0d61892c99af1b3db241

    SHA256

    e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

    SHA512

    73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json
    Filesize

    277KB

    MD5

    6cded117b40b0637ae92cd04ac7ba1c7

    SHA1

    1c524e30df9ea03e3bda96f7e2604f599e2a3e3d

    SHA256

    a96839797a4226a003a2351ea28a13ccde6121e685a6738136a95f6475e620e4

    SHA512

    bb0bd2255a0496d42514de6a00f0846ad31736d0f906815cbfb702374ada907d6ac7ca0c0de06192d67c0c98453c0d179c176dc315ac775deb0b38b2e364c7a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json
    Filesize

    273KB

    MD5

    66183eadf44e6787fefa8dd1884d2dd0

    SHA1

    d9b032f81aa710fc78a914531dbdea4ac063db8b

    SHA256

    2b5d9967a530eed33fe30e0a5ee4c9ea5ae7277765fbe48f3279ed3d6ea84e7e

    SHA512

    0916cc2afa88c2d6c67427f779d62436a9e3b79fc0197b73c3c4bb15f5c5bb1f5776f8ee7e460297186b806369ac37227cc92b8f790babe8136aa0e70af7825c

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
    Filesize

    12KB

    MD5

    89b2b499cb4fb2beff0da1aae8fec4f6

    SHA1

    2de8f037d46eac237b1b286dd7ab089c558bbcb2

    SHA256

    d506aa310e87d1578f49faef4347b20f6116e9d8bdc6faca6fd7e7447653292b

    SHA512

    06069aea02505b3dbaf0a7af6185c946ebc7110c5a81ac1026ce1cda42c3f3b11b0501860fbd95a23498f501f5395f411709dd6423fc715ed195ffe17ffd387b

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
    Filesize

    13KB

    MD5

    6d2872c5ceb7b6907b04923c856648a8

    SHA1

    3c0a87eb8cd691e2f3cf675045eb5739f22bba95

    SHA256

    51b0424fc5a47eac6080d329e02a100a434b82afef23ebe04aa9faa9812b2931

    SHA512

    c559bede8e7cfa05c9de8ba9edf3ce954b319fa9c90f132358c5cb0b246d274c937a2cde92b1623ffeae6ea7febcc8980d852b849109a0c3e9a0b66e05feb5d8

    Download Submit

  • C:\WINDOWS\FONTS\ANTQUAB.TTF
    Filesize

    4.3MB

    MD5

    91a734c4f8c7e2c46a82883fc80b2041

    SHA1

    d6da57bacf49ad793891997cf52fde3f668b5c2c

    SHA256

    c2d84d8a9fd47bd23e269714fc587a45014ec2781209fb521a2cb3dfbb598685

    SHA512

    8c70c1f8d747858a460d1d2c7a15263452114aa7bcc9b0a70e5186ba9460bc10e8b0ad85a9f98906014ea190263623e59e467de6b038ef38414f1ee7560a8fe1

    Download Submit

  • C:\WINDOWS\FONTS\ANTQUABI.TTF
    Filesize

    4.3MB

    MD5

    66265ac6d868681d4f375e07f054c2b9

    SHA1

    1f2c888bc4446c0700ab0eb10b9f5749a75c90ba

    SHA256

    513c209a1937d48969355d7b2f3cf513ab11f4b1cde7ef6048262432e767164c

    SHA512

    4636792affb07353e044b58fdfe0ff7a7bc69df4d78b5ebcf135cd5fadd9eb80c73bf6487bdf1c1d54621ec9921b24900e09f06cde6aebdba5d19f1280cc0ef7

    Download Submit

  • C:\WINDOWS\FONTS\ANTQUAI.TTF
    Filesize

    4.2MB

    MD5

    60a67f16cc3eefedf339ee0ad3f074b1

    SHA1

    3a0d56cea7327076697c616e12c8f3de16810236

    SHA256

    5e00fab14e3cc9a0f8bc8a6b81406959a9580d0c070e7961f0b0048718b58d69

    SHA512

    e9aa4b48c52b2f6e87c64733e0c4a950c172dfbac81b94939e7e3c49010aa23f5c9a6c45f5ee5370b147206a3381f56a39c47f24657b47e1435a190ff1caf793

    Download Submit

  • C:\WINDOWS\FONTS\ARIALN.TTF
    Filesize

    4.3MB

    MD5

    7a09fe59accb45277cb8a194e0232e4e

    SHA1

    7ee52de829fe727b274a1a2a22842a54e4084451

    SHA256

    48c418fbf9ec40071fa84d29b7543ec476abeaf01ac7c115622421a7ea6265bc

    SHA512

    61ea78e8be728805ba5089c79f7be5981263d08f74824c314356e6d5a33373c4fe7040b26e4b7c7b53ade3b645b980f2f0d03d03a04dc88a88b03e9bcf5724de

    Download Submit

  • C:\WINDOWS\FONTS\ARIALNB.TTF
    Filesize

    4.3MB

    MD5

    f2150fafdb27ea1936b2b7a9b8723a54

    SHA1

    103b5d2b0ce69cacacf13da74937adffaaea687d

    SHA256

    dbae0772628c99a6af4b5db82bb8de5b1337b8fb61030bd9446035588939b415

    SHA512

    9eb1fd606a2cae6b768aa9219f7b23c598e1fafff0924fda26583b4d85e7421b5cd20c6d5e0fe007d1d97cbdd6a0cc90f5f252024a01eeea642673ab4031638d

    Download Submit

  • C:\WINDOWS\FONTS\FRSCRIPT.TTF
    Filesize

    4.2MB

    MD5

    2f12b1616138324ce837b3cc273b0d01

    SHA1

    b3ce16bb6d10b492bd65ed72c4fe019575b72e9c

    SHA256

    2804e61f0cafae5abd54d6921a9cf4573eac3b58f22259c9aa3145b7aa071707

    SHA512

    19440ed3b5f86b85ec6800b79c3fd70be43cc443582b5707878c3650a0ce888c30e716734c51b720f06955142125942df47d0dbd086ba2a854c4cdca8640ec95

    Download Submit

  • memory/2264-5838-0x0000027CEFA50000-0x0000027CEFA70000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2264-5848-0x0000027CEFDE0000-0x0000027CEFE00000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2264-5814-0x0000027CEFA90000-0x0000027CEFAB0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2264-5807-0x00000274ED900000-0x00000274EDA00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/5468-6097-0x000002DC41E10000-0x000002DC41E30000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5468-6111-0x000002DC41DD0000-0x000002DC41DF0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5468-6129-0x000002DC421E0000-0x000002DC42200000-memory.dmp

    Filesize

    128KB

    Download

  • memory/6000-5742-0x000001D01B990000-0x000001D01B9B0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/6000-5741-0x000001D01B580000-0x000001D01B5A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/6000-5735-0x000001D01B5C0000-0x000001D01B5E0000-memory.dmp

    Filesize

    128KB

    Download