gofing | 3c5bbdc78370a8af8a44bc0de7253f74afb5983402d1c3a41d76eae99e4e673d

Analysis

max time kernel
78s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Size

4.1MB
MD5

4a650ac3bd5b043e82d8f733e1b5df81
SHA1

1afe8d02befc2f8a6fe4517a3ca6a05d3fc4996a
SHA256

3c5bbdc78370a8af8a44bc0de7253f74afb5983402d1c3a41d76eae99e4e673d
SHA512

27158301cfcbc75033fe0ead54a92cc3a3b59d39c8c96f7473cb2cdeb1e3db1db40ce69eea621a46c142eeeada01ef3bc1fb237afeffbbe8cbac064eede0d5c4
SSDEEP

49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q44:ieF+iIAEl1JPz212IhzL+Bzz3dw/VK

Score

10^/10

gofing ransomware

Malware Config

Signatures

Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
ransomware gofing
Gofing family
gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022a49-4.dat	family_gofing
behavioral2/files/0x0002000000021ebf-5463.dat	family_gofing
behavioral2/files/0x0002000000021e89-5471.dat	family_gofing

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\$Recycle.Bin\S-1-5-21-3218366390-1258052702-4267193707-1000\desktop.ini	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\desktop.ini	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-125_contrast-white.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_altform-unplated_contrast-black.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-125.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_contrast-white.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-125.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-black_scale-100.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-100.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E1510E9A-3A37-4D6E-83D5-0C244EABA482\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\Microsoft.AnalysisServices.SPClient.Interfaces.DLL	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\New-Fixture.Tests.ps1	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageAppList.scale-125.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-96_altform-unplated.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-30_altform-unplated.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Coverage.Tests.ps1	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\HostConfigHighContrast.json	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-100.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\ui-strings.js	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Vbe.Interop.dll	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-400.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\currency.data	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\THMBNAIL.PNG	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-125.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.dll	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-125.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-125.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\THMBNAIL.PNG	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Media Player\en-US\WMPMediaSharing.dll.mui	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.ComponentModel.DataAnnotations.dll	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-black\OfflineError.svg	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-200_contrast-black.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\WideTile.scale-125.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-125.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\de.txt	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-LIGHT.TTF	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-white_scale-100.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-focus_32.svg	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-40.png	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libsvcdsub_plugin.dll	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll	2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_4a650ac3bd5b043e82d8f733e1b5df81_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
4.2MB

MD5
3165d4c933bc80e94d57936b2b3730d7

SHA1
c38283ab56e505b24b4abd5827901e97e1433c56

SHA256
38120995f68176e484bac3ce9b95b292fd166d3cfff8dad4440fc7497a4493dc

SHA512
017005178a42500b6817dcc5809fe1fdf314d8f12f6aab8a4725230a634bccc416e18fed319b02f623249d5f0196bf984e16e9e34578c1e000742ff84e3c0068

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
4.4MB

MD5
bc679830b96494ac2487ee24071315dc

SHA1
8428b1b50d6ab2e88a52033d437fcbcdb0333333

SHA256
a9d99f650a408f8176e05f10e907f0a87b6971adc1d6ad5e5166bcfdeaf357c9

SHA512
01f86aff110158fb0eb7a47a2a794d73a82a1ead29429eb7488f26a35a1c9c88c48cbbbe0c5bcbd73dcbbc144f35c4b11852c6c9c501d85fa8a28a095f199a79

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.8MB

MD5
e16e6aa9a89b020c96cac275b64fc5cf

SHA1
bfc5e77428b7e8e248f22c45b67a6e720a3d9d57

SHA256
401b9c8563dee9ee1334318d5c4339c753b9f576e925db4aa534cba0db3e0b5a

SHA512
284687ec2912e9035d0fc3791f2d1f894f9e2a1005b94095adcfb74d33ad3169f5a8d5710d680d87a833d61f0c368ad08046892d0bb4f0a467c924e1e235a69b

Download Submit