gofing | db3b522adfe5bd882992b9d8fb6b226863553f602cf9c4d5e2306fec1eb8cd02

Analysis

max time kernel
132s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Size

5.3MB
MD5

11e310337369a6f765655ff0aee83470
SHA1

27f69d55df7c3fa857aafb24ade04701636056ce
SHA256

db3b522adfe5bd882992b9d8fb6b226863553f602cf9c4d5e2306fec1eb8cd02
SHA512

7e667cc8181f4e0f289bcdb6dac4f62a186f85f63382c5369a6262d78e29fa24d56961f27b32a2e5d7a24d6a298450f39343038ce1bb2e41817546f576e28ad6
SSDEEP

98304:ieF+iIAEl1JPz212IhzL+Bzz3dw/VdK83WqRZFgB:pWvSDzaxztQVdKx

Score

10^/10

gofing ransomware

Malware Config

Signatures

Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
ransomware gofing
Gofing family
gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 1 IoCs

resource	yara_rule
behavioral1/files/0x0002000000010486-4.dat	family_gofing

Drops desktop.ini file(s) 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\desktop.ini	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boise	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\bin\libxml2.dll	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libhttp_plugin.dll	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\librss_plugin.dll	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pl.pak	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\logging.properties	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe.sig	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\ConnectReset.iso	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\bin\unpack200.exe	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Media Player\ja-JP\wmpnetwk.exe.mui	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-text.jar	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\jfr.jar	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\bin\tnameserv.exe	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgRes.dll.mui	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\eventlog_provider.dll	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_ja_4.4.0.v20140623020002.jar	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\LICENSE	2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_11e310337369a6f765655ff0aee83470_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll

Filesize
5.3MB

MD5
cac7e75373c1828d74c45cb6b4c31584

SHA1
e4defad574400471346397ae3685437b788ca636

SHA256
733c7aa6e70142397f62d5755867d5060e4991e7441ced6e1981db19773c907b

SHA512
822ac1004eb13debd9317611c91688b881467bdbe3c033c54edc3416f0725e267450d2de6db4d6cfc02b397a9148909b831512f432a46b80ac71468c593f79c3

Download Submit