Overview

overview

10

Static

static

10

2025-04-03...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2025, 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-03_e18fed98592fb3d2c6c6f44432459802_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    e18fed98592fb3d2c6c6f44432459802

  • SHA1

    86668068a9d5d0314b20828878b49cd9e945d467

  • SHA256

    6433f91474f72e8fcba9be24d63c0d35849b11b77e113f59cac21363ca120927

  • SHA512

    448fc6ea0d85969fc73ba860416a647ed5b314c6e0c5be55e37a6f2d63a7bdf2b03cfa8f1ed48ed545dda1b1a531de44db49c5a610f99747beab8e4b2b131825

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4S:ieF+iIAEl1JPz212IhzL+Bzz3dw/V8

Score
10/10
gofingcredential_accessdiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    ransomwaregofing
  • Gofing family
    gofing
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-03_e18fed98592fb3d2c6c6f44432459802_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-03_e18fed98592fb3d2c6c6f44432459802_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:2464
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2644
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7z.dll
    Filesize

    5.9MB

    MD5

    dd0d45b637742f0363cf6fc5d80286c1

    SHA1

    c765370a6441d404116b4e25cd3e400b9c792574

    SHA256

    e21cc5a9b85288a0928537c13879be3078974595162a070defcbd59e7028903c

    SHA512

    7c531237a32a1e70e42945d2f4f12ce1e12d96d91300032ae119fa1d341652723fc52af354d36f559f2f2c2fc08e4aec048dec6e77403ecef4632e624477ed76

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL
    Filesize

    4.4MB

    MD5

    987c6d611a21dc412f734cfa2da5c4e1

    SHA1

    efe196cef9f03253dd7d78417aa96b7fdb11b07f

    SHA256

    00b94ee1c39757d0277f4a2733c89926041385266198eda64b666a9c3e4b4a13

    SHA512

    b10524d71d42f849f989b302e51ac4cca09042206cc35533195c73fd684f5084432e61b83d6f4ad88ff6372671ccf157a1412ca43388048d496dbf026ae0ef7a

    Download Submit

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
    Filesize

    5.8MB

    MD5

    aa8c0d58ee7479fc821a1e13e4fcbddb

    SHA1

    a0ae9953cb53768de63f3ce33fc62c0b4824b688

    SHA256

    9229f9ace3f88137d3cc6f36c17136842519dc4da2d99f288500e24359f136d6

    SHA512

    f20e1291d160e44f941b7d6662c580d14c5be6e1d55f2a166fbc519c6a84b779b3f8ba270cb7a4d28d06edbceffd582f5552acdae1b335038953d4560b19b8da

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Q6WWW71J\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    1bbf55ab372938d504888942fb75005a

    SHA1

    ce665c1904fc8f019187aef74eb472e7302f9526

    SHA256

    61d3275322ab9c034652b6464244a50c286065677832ecc9560b50dfd45c4dca

    SHA512

    163545c351fda6f5d4fa051db2fcd3dc45ecd1645a36fb85cfa289b5812ece83b0cb7562dd5573edbfdc1e7b0bb19bae6b1dcbf740338c525d649de86922f1ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{5a0b7e55-3a8c-4659-8e84-9be70062c0a6}\apps.csg
    Filesize

    444B

    MD5

    5475132f1c603298967f332dc9ffb864

    SHA1

    4749174f29f34c7d75979c25f31d79774a49ea46

    SHA256

    0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

    SHA512

    54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{5a0b7e55-3a8c-4659-8e84-9be70062c0a6}\apps.schema
    Filesize

    150B

    MD5

    1659677c45c49a78f33551da43494005

    SHA1

    ae588ef3c9ea7839be032ab4323e04bc260d9387

    SHA256

    5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

    SHA512

    740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133881788012192968.txt
    Filesize

    22KB

    MD5

    7916ed537635f982a046692ba9b74d8c

    SHA1

    899ad02caf40fcc525f92c5dede15ef287992108

    SHA256

    d5c850e118b7789d5e7a1f0654795aaa754898824d5b0e9290b17e534cba8e4d

    SHA512

    5bbcd19c7f02d35555bcf5495d5b14a923729b85a7de13b9c5712fb544fb2b8ff3911ea4c0989c6d4f15afd3740255c8c14fe4f0c5317ca062f4df6ce2634342

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133881788021008563.txt
    Filesize

    10KB

    MD5

    3452ec698a9884c22f029220397be6dd

    SHA1

    0ff4a99762952831999b24f564aac3a6743f57bc

    SHA256

    092905ca6e00f3f0a90c182b12edcd34485cf5f1ab050ea9ce87f8c1b69ec02a

    SHA512

    72290444f64eed2aa4fcb79737424b31ef709c489e15beb33b9fcba4c4f790b21a7f6e1cecfedab45d8e198d1e0367953d353a83361667efab167d8660b885ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
    Filesize

    9KB

    MD5

    12d8ce3255957a44ee8b4e843160a210

    SHA1

    a23b37c94de490bb7922eafe530ef84192060eaf

    SHA256

    bbab062ffd9b09c7f71d0b31a0a01e2c80ffb617547dc7a8a261a608b2b86b3d

    SHA512

    c9796a149a36f3b6e7b71924387b3e4e580c66bf3b0c580e6a9ffc1a21aa483050af8e7cff64b56b70fb8c87044c9dacd4a502a40a05b2b2689c6d5bd7af3b30

    Download Submit

  • memory/2644-5864-0x0000022DFD1E0000-0x0000022DFD200000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2644-5872-0x0000022DFD1A0000-0x0000022DFD1C0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2644-5873-0x0000022DFD730000-0x0000022DFD750000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2680-6006-0x000001DCA8BC0000-0x000001DCA8BE0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2680-5981-0x000001DCA8450000-0x000001DCA8470000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2680-5975-0x000001DCA8490000-0x000001DCA84B0000-memory.dmp

    Filesize

    128KB

    Download