gofing | 0fd93c1cf6048f470a10162405f6e6e54523cd0eada47ee564c9b8da1b5fd8d2 | Triage

Sharing

General

Target

2025-04-04_ced32bb7190df334266dbebba4c28ae0_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
Size

4.2MB
Sample

250404-ev43lssks2
MD5

ced32bb7190df334266dbebba4c28ae0
SHA1

4dd95068d34fc4d579cda02411db2a2139ecef16
SHA256

0fd93c1cf6048f470a10162405f6e6e54523cd0eada47ee564c9b8da1b5fd8d2
SHA512

032157a55674f7e20401a3b21b195407139277c68aeded0cb0b366a45fbfe7576a2123dd404e0ed1f66137f12ba589d782525aeca381a85e15b4481f614e3bb4
SSDEEP

49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4M:ieF+iIAEl1JPz212IhzL+Bzz3dw/VSh

Score

10^/10

gofing credential_access discovery ransomware spyware stealer

Malware Config

Targets

- Target
  
  2025-04-04_ced32bb7190df334266dbebba4c28ae0_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
- Size
  
  4.2MB
- MD5
  
  ced32bb7190df334266dbebba4c28ae0
- SHA1
  
  4dd95068d34fc4d579cda02411db2a2139ecef16
- SHA256
  
  0fd93c1cf6048f470a10162405f6e6e54523cd0eada47ee564c9b8da1b5fd8d2
- SHA512
  
  032157a55674f7e20401a3b21b195407139277c68aeded0cb0b366a45fbfe7576a2123dd404e0ed1f66137f12ba589d782525aeca381a85e15b4481f614e3bb4
- SSDEEP
  
  49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4M:ieF+iIAEl1JPz212IhzL+Bzz3dw/VSh
Score

10^/10

gofing credential_access discovery ransomware spyware stealer
- Gofing
  Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
  ransomware gofing
- Gofing family
  gofing
- Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gofingcredential_accessdiscoveryransomwarespywarestealer