gofing | b86000a8e36f69a5767bab47f4a77c42ec1cedbb066ef685a0c0e828cb570981

Analysis

max time kernel
39s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Size

4.2MB
MD5

aa627512df8f39f8522ce27a1b9721dd
SHA1

23ddc0cc55e3eb4717f6e9f12b8c01e0c7cf036c
SHA256

b86000a8e36f69a5767bab47f4a77c42ec1cedbb066ef685a0c0e828cb570981
SHA512

5798ada28d270397210fa1ee0e759d65584afc89d0a19c3eccd9bcb64fe0f882165c9d4ba8e8baa335b4c6f9040b9bcb1d49d43615e9188e66b5e8e81b7d1360
SSDEEP

49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4R:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vb

Score

10^/10

gofing ransomware

Malware Config

Signatures

Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
ransomware gofing
Gofing family
gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 2 IoCs

resource	yara_rule
behavioral1/files/0x0031000000010329-4.dat	family_gofing
behavioral1/files/0x00020000000108a2-6387.dat	family_gofing

Drops desktop.ini file(s) 9 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\bin\instrument.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Noronha	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\LICENSE	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\St_Johns	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9YDT	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ShvlRes.dll.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\chkrzm.exe.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHEVI.DLL	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll

Filesize
5.3MB

MD5
5178306a2c8c1349a5e63283b81c6472

SHA1
5bf538e0ef6717cead6623e0b4dbc8163688e070

SHA256
a071fa48fe132ed5336e4700cac7f0133c01a9c42fe6bf067aefc593b1bfff27

SHA512
c7a73f1009939f11721a2bb09b04cf483e8f9af40d8e1627ac36fa8a3a1156f28c666c92971fd9a7f6f39c167db2e45ed7a65e430204c6c7b9c90070a873dcf1

Download Submit
\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll

Filesize
5.3MB

MD5
1a6d631b4bacf37ca34dd525f7007746

SHA1
15af543bea7972f7fbeeb2c95ef8bd68b5ab851a

SHA256
a4b893c0eb1d7aea1b006ae02773fe8aecaebfed9c6f9ae2398866b8f36f9168

SHA512
8c38c8b15632891484a8e1e5b6df15cabf8538e3756a8b84e85b912fde7713065f746771ec19f14abae621cd097b7868a5bab0a1e09b367e22b95909c8e2a6dd

Download Submit