Analysis

  • max time kernel
    78s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 18:17

General

  • Target

    2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.1MB

  • MD5

    4a650ac3bd5b043e82d8f733e1b5df81

  • SHA1

    1afe8d02befc2f8a6fe4517a3ca6a05d3fc4996a

  • SHA256

    3c5bbdc78370a8af8a44bc0de7253f74afb5983402d1c3a41d76eae99e4e673d

  • SHA512

    27158301cfcbc75033fe0ead54a92cc3a3b59d39c8c96f7473cb2cdeb1e3db1db40ce69eea621a46c142eeeada01ef3bc1fb237afeffbbe8cbac064eede0d5c4

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q44:ieF+iIAEl1JPz212IhzL+Bzz3dw/VK

Score
10/10

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:3904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip.dll

    Filesize

    4.2MB

    MD5

    3165d4c933bc80e94d57936b2b3730d7

    SHA1

    c38283ab56e505b24b4abd5827901e97e1433c56

    SHA256

    38120995f68176e484bac3ce9b95b292fd166d3cfff8dad4440fc7497a4493dc

    SHA512

    017005178a42500b6817dcc5809fe1fdf314d8f12f6aab8a4725230a634bccc416e18fed319b02f623249d5f0196bf984e16e9e34578c1e000742ff84e3c0068

  • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

    Filesize

    4.4MB

    MD5

    bc679830b96494ac2487ee24071315dc

    SHA1

    8428b1b50d6ab2e88a52033d437fcbcdb0333333

    SHA256

    a9d99f650a408f8176e05f10e907f0a87b6971adc1d6ad5e5166bcfdeaf357c9

    SHA512

    01f86aff110158fb0eb7a47a2a794d73a82a1ead29429eb7488f26a35a1c9c88c48cbbbe0c5bcbd73dcbbc144f35c4b11852c6c9c501d85fa8a28a095f199a79

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

    Filesize

    5.8MB

    MD5

    e16e6aa9a89b020c96cac275b64fc5cf

    SHA1

    bfc5e77428b7e8e248f22c45b67a6e720a3d9d57

    SHA256

    401b9c8563dee9ee1334318d5c4339c753b9f576e925db4aa534cba0db3e0b5a

    SHA512

    284687ec2912e9035d0fc3791f2d1f894f9e2a1005b94095adcfb74d33ad3169f5a8d5710d680d87a833d61f0c368ad08046892d0bb4f0a467c924e1e235a69b