Overview

overview

10

Static

static

10

2025-04-03...ch.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-04-03_ed01d819a6dd7f6e517cf78560b6df8a_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch

  • Size

    4.1MB

  • Sample

    250403-q1dy6azmv6

  • MD5

    ed01d819a6dd7f6e517cf78560b6df8a

  • SHA1

    d2843380334f207281c7f438e6f2a92957eb09fa

  • SHA256

    9cbb50fe1f5a8feed65614a98a1d0834429499bf00a546a4df0680a9f44b9072

  • SHA512

    03d4c2a506e0f5e06de453a205da9feb9dd75b2cc82030289245c9eaea18a711f1daf8b6ced8d249790bd731be4f7a96f7f86c83dfe56d7b15a9e09fda0694f9

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q46:ieF+iIAEl1JPz212IhzL+Bzz3dw/V4

Score
10/10
gofingcredential_accessdiscoveryransomwarespywarestealer

Malware Config

Targets

    • Target

      2025-04-03_ed01d819a6dd7f6e517cf78560b6df8a_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch

    • Size

      4.1MB

    • MD5

      ed01d819a6dd7f6e517cf78560b6df8a

    • SHA1

      d2843380334f207281c7f438e6f2a92957eb09fa

    • SHA256

      9cbb50fe1f5a8feed65614a98a1d0834429499bf00a546a4df0680a9f44b9072

    • SHA512

      03d4c2a506e0f5e06de453a205da9feb9dd75b2cc82030289245c9eaea18a711f1daf8b6ced8d249790bd731be4f7a96f7f86c83dfe56d7b15a9e09fda0694f9

    • SSDEEP

      49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q46:ieF+iIAEl1JPz212IhzL+Bzz3dw/V4

    Score
    10/10
    gofingcredential_accessdiscoveryransomwarespywarestealer

    • Gofing

      Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

      ransomwaregofing

    • Gofing family

      gofing

    • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    • Renames multiple (51) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.