Overview

overview

10

Static

static

10

2025-04-03...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 00:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-03_adb09cf0bbaedfc9267e1f332005c5de_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    adb09cf0bbaedfc9267e1f332005c5de

  • SHA1

    ededae15ca6edd4df2eff53c1b018bfc86cba10b

  • SHA256

    00b77133aa2ca43d9698a310d68b4a9bf0a3a5df3c9fb3dacd22023353d3bf20

  • SHA512

    008453a24072000c525ef9a1985902865c1785241f1fa9892f6272220fce423ac05a687fd6c9bb9f9a66fcc1fb4a848edf1065849f9a31cc57f0792386036337

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4v:ieF+iIAEl1JPz212IhzL+Bzz3dw/VZ

Score
10/10
gofingcredential_accessdiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    ransomwaregofing
  • Gofing family
    gofing
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
  • Renames multiple (52) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-03_adb09cf0bbaedfc9267e1f332005c5de_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-03_adb09cf0bbaedfc9267e1f332005c5de_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:2680
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5208
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:4912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip.dll
    Filesize

    4.2MB

    MD5

    f660202c5e6b87c405a1a82670869e39

    SHA1

    f95c8c0a3565ee26ac6eaca1aeffa9ebd4794a33

    SHA256

    f007daee16af481fe18a36f5ba3d40b41703df5e8e6ef726f4006e08449b6181

    SHA512

    8a5562be7f8467cae7a4da3e62c6a4674f7caa0813e190b023bce1583d1dd82621288124a3147daacb30abcef916ae93325ed30b9d7217cb4d5504a48f0f3e76

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL
    Filesize

    4.4MB

    MD5

    688d9536015cbb6632531fb795096258

    SHA1

    e3bad17d7a1ea03ed3b74aabc3f56d6a588d9f4a

    SHA256

    e0c4e91130bbbbbb07cd3eb4b53161dd79e1acb021c68fcb0823ee5bad61306e

    SHA512

    e701ca7c472064edb75c61ea2578f49b9f47b523c47287e5cb3aa9ba6ce312db3e0b8a58554c24c733ee28fe6c803162dbd23ac1650a3dfc5cea0a93be55f342

    Download Submit

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
    Filesize

    5.8MB

    MD5

    33332e144d33ac82f0b1d03f57f75153

    SHA1

    89f11fa28103f1a6b47b42652fd52e73987193f0

    SHA256

    e7e8df8e089aa81a60d58c763fb3df30fa4af7c0d4bb627f43799e19712f5e3a

    SHA512

    095727410100f37ccb318b3818c327560bc7235a8663fedb53f2ac93ab5f5572f978185c0593c9115ed63e2849b6ffbb1bd53cd76cdc15c71e830ab977b5e4aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1D5BRYK9\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    560f3dd618ca6bc8c0c83f2c19eceb09

    SHA1

    b223605ff8b2b704a01eb4f2b6da5ad236ed6461

    SHA256

    90407c685ab9153f2c25450ee33d60d6eb0292ac882467d5ba2a4e646b04d603

    SHA512

    a10d2f88df1ce0f7e82d42597dd959c289d27c3789f02555eaab4a906a2446349a9c6580f791504051bab2b906c249afa9dd106e02616fce34f8c17f76381729

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133881993335501142.txt
    Filesize

    14KB

    MD5

    b9a3570135c6cdac61e23a655424bb81

    SHA1

    b25c823b867b820fa34e0d61892c99af1b3db241

    SHA256

    e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

    SHA512

    73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json
    Filesize

    275KB

    MD5

    7a126db281cb7719c9fe743cb8d9ac10

    SHA1

    d7b49e42b419b7443d251981d751e64b5c051702

    SHA256

    09f52b234021a5d3193d0a795eed7df6e9b644652bccb8484b4e8ff5a0e7256d

    SHA512

    6b35d11d6e1678b70ea3ba2dc2aad3b6b9d35d636191ffebf7c69e67b3a022958822a9c712f321f49d8a6f70b5fa1a07df8ba7482510ec733866e0a0d96c7b73

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
    Filesize

    11KB

    MD5

    c209da035889c42ff2ed9bbb484a3113

    SHA1

    a3f7aff6e23a6a216db7408263d33dfafc376637

    SHA256

    1b0b4768748c87e98f9f1760994bdbb7a608211299744409dab2f51ce6731e4b

    SHA512

    f52cfa4fe3ea02cdf22abf5c316b9fac57085d0873d6437a7f821a813712afbf0eb0da1ed70d98585575c6a774abd3174c9e45f0d5d1970adf7282d0daa404c6

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
    Filesize

    10KB

    MD5

    b39dbf0fdbafc75512fe1a7c9edbe5c2

    SHA1

    f548ed3e68c97761aff7d5607e849d0fda5a579e

    SHA256

    ccf18ba3557f3ddeffb6058bea3f4b71fa5a6af2dbcd68331bd9cf03dcdf8f92

    SHA512

    4b1e083272978f5a4c01dcecbc89e728376524f18e959a1b7d5c978bfd79c33fd8c7973edfba8f7613f27e7a4642c37ef4955c631b620be4cb1b25a4c897d48b

    Download Submit

  • memory/4912-5949-0x000002BC78250000-0x000002BC78270000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4912-5960-0x000002BC78210000-0x000002BC78230000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4912-5971-0x000002BC78620000-0x000002BC78640000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5208-5838-0x0000014445070000-0x0000014445090000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5208-5837-0x0000014444CE0000-0x0000014444D00000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5208-5829-0x0000014444D20000-0x0000014444D40000-memory.dmp

    Filesize

    128KB

    Download