Analysis

  • max time kernel
    62s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 18:43

General

  • Target

    2025-03-30_79bc3b07505f30fa4ea051c0ac957f69_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    79bc3b07505f30fa4ea051c0ac957f69

  • SHA1

    5d44258c21225e20a35327fa89ffc9cc4b6e6091

  • SHA256

    d05aaf2c32dd7a5ff70e84de9e675e96dbb794d81b7c713ba165ba92828d2430

  • SHA512

    59ddef9afe32c45f931d7d44363c3a9bb2e5f4e58df56168bd284a2889d17ef57d5bc3ae964e57d8d9145b3e118d9229982404ffa087575f340f66cfbc2426c6

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4G:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vk

Score
10/10

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-30_79bc3b07505f30fa4ea051c0ac957f69_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-30_79bc3b07505f30fa4ea051c0ac957f69_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip.dll

    Filesize

    4.2MB

    MD5

    3cdd4dbf8556c128796bcf2f277c165d

    SHA1

    cbcd0eafad9ceedaf8daedfa45912a8f8b02f8f3

    SHA256

    fe48f398827be07df6e3da6f7f255377fce2b7a195c28c6c22b2bda937b02205

    SHA512

    473dc86a81ff0285c520dca6d29d95fdff40d4278697242f28df77a7f4f8a214ebce46c7376e212847c048659958a0035a21786ca7c4b5a3200d363d2e647696

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

    Filesize

    5.8MB

    MD5

    893f1ee1760047e74b03fb4aebc3efb2

    SHA1

    361859cb01f8a81202dd287a7f6584a1f9c19456

    SHA256

    8dcde8612eedd4a9436e72838e19eeb261aed94173e2c08c76faa89afbd680e9

    SHA512

    99ba27faccdd6139923048304d813cc74c3b07af1f6e0bac7a713a1b55a2dcfc960d153747a13c454d110d6bcae4fe0dac1e4e02bd047f48b1ee012372abcf42