Overview

overview

10

Static

static

10

2025-04-06...ch.exe

windows10-2004-x64

10

Resubmissions

06/04/2025, 16:36

250406-t4b6hstsb1 10

06/04/2025, 14:13

250406-rjthyszxe1 10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2025, 14:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-06_56c9b50e8936c2516fb1e809d9989912_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    56c9b50e8936c2516fb1e809d9989912

  • SHA1

    0fcfa3e92f55200e884c718652ffee7f4ed013e8

  • SHA256

    f14034d2f0c5b5485ef0d868db57bc24b83793681fe7d28e5e89e6b1c3bb0abb

  • SHA512

    5ce6e2288497561d9bd01ce851588d94b25a0b6441973e7c3ab0cb73fae86567702ae091aaca8c32774aae10b23f66ce3730f26c8cb0a662e57f0759900bf31e

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4A:ieF+iIAEl1JPz212IhzL+Bzz3dw/VC

Score
10/10
gofingcredential_accessdiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    ransomwaregofing
  • Gofing family
    gofing
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 10 IoCs
  • Renames multiple (52) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-06_56c9b50e8936c2516fb1e809d9989912_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-06_56c9b50e8936c2516fb1e809d9989912_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:2768
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2356
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip.dll
    Filesize

    4.2MB

    MD5

    458007e63f157fe17907659a4c56a0ea

    SHA1

    a54d94b5951e070ecc90a22ceccc571721e63e05

    SHA256

    979ce7cd4dcb2dc4e4f63b232fdc5f793401b084abdc9fc49dfe4c71db373ae2

    SHA512

    6ddf47be4a951fcca1a45659d8b960207595dae4ae43efb01c2e1505d315897ab58ffec068a1fe54a0dd539df24cecc9026b80e3b2868a7d66604d160827d1b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7V6S7ER6\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    bb3a57d76e82cb6e80927ea84cc1a0e7

    SHA1

    1d96717693e7d667c950baeb443f389a21a96ee9

    SHA256

    2bd8c8923156c4ef1ecabf4c26408ae66428c00356e3bd7271fd232911cc5bff

    SHA512

    d80b85579d1ce294277bfb22581e1f72e9ddf5876b2ce3f6d3fe63ccce5332fac1b273d1a97eb44ba988a0266de9319d7aa676bd34d53426f68d190dca9cdd3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres
    Filesize

    2KB

    MD5

    302e298dc35e8fd8b149fa2dee565471

    SHA1

    0801d970e65440c50b1c0cf5f9a40b5c24517f51

    SHA256

    e1c5fd26d97a37fda75288aaaa5b986fbfa600e15451a146a7644a46ab246251

    SHA512

    c523cf341704ed3de27c5d45070ac1057976b4164cbe96102a2ff0dc416bde93829fc79ee6a9a9b32eb69f3269181b97837ddebc2a6376f6b34534a50e6208bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{6af88d44-72a3-47f8-8360-fe86c1f3f662}\AppsGlobals.txt
    Filesize

    4.4MB

    MD5

    c63e365c27e55e6b5b9f4786a1452ec7

    SHA1

    51294f346f245ae0b3adbf1128085c6c31fb909d

    SHA256

    010ce29444b4efb83b32f9b94a036749c9f53bede7ef4cd9cc710e5093c668cd

    SHA512

    462db91e246bf817f60926ab72653ffcde4967a634219546026789c8cebef1696458f173a1f1ddab6610ecaa7088c6d4eaa76b0d7ac2c2ba7751edf138e6bf8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133884225351343667.txt
    Filesize

    15KB

    MD5

    18bee33d1ae7e7ed4cff2dc793879d78

    SHA1

    dc48c4398fe220905c35a93b1bb1bb4235cae00f

    SHA256

    42031724f1ba0695be437e59142d6055b64543cfe3d86ea722736f575a840811

    SHA512

    7cba6d996376a7ebe347447ce43910a33cb124a9100bc7d745de24db1d277e0f3ad5ea2e89d8c9a30080079ccec9701e35c8fce579c108842ebe2eb14811309b

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
    Filesize

    11KB

    MD5

    979100d955650855803fb5fd673434e3

    SHA1

    ad382e17c571e4c5662ecee275c66d240f96fbbb

    SHA256

    8ff336eb6e00c72c3dbe4f0bb2db1108be07091d457c434c329a417ded897a59

    SHA512

    01ec9f09605b6ab0ec2515222acf48a82274c7d7a000401cffdc157b78844e0bb14e867b5847d488807dc3299d2423b9c4ba652e7fd47dda384db2679fddb746

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
    Filesize

    13KB

    MD5

    344167e8680c0bdefb7b3f383ba3f505

    SHA1

    53d9e0e06c00bccc52fd8d3154b53ce746536f17

    SHA256

    0f749503f2c4db29d061117560e629beb4d06a9446a6122382cad4e9e1999a23

    SHA512

    a3c5185e4d6f2acb8c11d955af9976ee8526634af96bcedc43318bf715827b31e1d35ed241bbb447bc164912245f6b8730ac65172de686f64c80d86eb84c617a

    Download Submit

  • C:\WINDOWS\FONTS\ANTQUAB.TTF
    Filesize

    4.3MB

    MD5

    85ee0c2a388a4286aad3c28a69929939

    SHA1

    7f1cdb2279585dda47d5b1dc370fc9af67933cde

    SHA256

    d1754a874ee27c93b22ee527fe91256ff039cfdea49ce4da7ad3bbe9acc3ab6d

    SHA512

    507b95eca931a4b30c07fd2a71eb54daf8991c8ccc2db059e2a5d65f0a76d79074c759271327f31b1796164cd73d87b9aaca79b566cdda88edef18e4c487f5f9

    Download Submit

  • C:\WINDOWS\FONTS\ANTQUABI.TTF
    Filesize

    4.3MB

    MD5

    6367316f81fbcdd89fbdd6812547df30

    SHA1

    6bef005575b2cb678cdd8391972dd7253d45add8

    SHA256

    092765544f527743f42ba8f315a045cfb9767ff0c4bbb2a78b85ba376523d78d

    SHA512

    95198da4c18beb532a59789565a0bdf770b13c203453f600ff6fd0c248ddd8163179f35b2e1642e9915e2df7ee406e8dd27c14de7993a6dbd4612504aaa5daec

    Download Submit

  • C:\WINDOWS\FONTS\ANTQUAI.TTF
    Filesize

    4.2MB

    MD5

    4f3bb67785ea65f5f5a420c682b97ab5

    SHA1

    1db7c8857dd8974bfa68c776c07c294d52650b12

    SHA256

    2bfbcf7d4d91592ee9d94f34ea6dcbff56bd07fa65bd3d4aa599b1c8eda1aa19

    SHA512

    e8f845f6dc62db5213073e62cbf9a0e20ea60bcb6c39dadd4c820154c5baf812a7ff1fd5baee67cd3aabb3492277d4ae82470711aa970f68fbf49a0003aedd0f

    Download Submit

  • C:\WINDOWS\FONTS\ARIALN.TTF
    Filesize

    4.3MB

    MD5

    947ded6c73d51f1d63e986af2c486e3e

    SHA1

    7f9e4dfcc21f86c8ec3e9aa8b439de7e5fc12e50

    SHA256

    51a7ee37a9b2b26a28310e4d930aa3c2603f04afeb6734c33b2f3c2d7126ef22

    SHA512

    9d5330bb41e0cbd8972fe0f62c7a841515348cf1324e7f591c22a106ad9cd0197602692c3ca8ac132634b49f19f09cbdcdf2736c601527b30a13121f359dce4b

    Download Submit

  • C:\WINDOWS\FONTS\ARIALNB.TTF
    Filesize

    4.3MB

    MD5

    eb0d33540e7d8941d0a0421d138bf123

    SHA1

    0a60f8f95c45bf7742afb36c76588ba37f3738de

    SHA256

    43a09e7ff7d58d22d9e93b4a48e87157283d0539ed9ce11b10cad8d143432ffe

    SHA512

    99a772b738fa388f5344e58dd52d0c64913c54813898a9c52c96eb9716fe3fe39483bdc59c6bd3a298052ae982c8f2afbb6c9759a0fa681fd18d2bfcf9f604ea

    Download Submit

  • C:\WINDOWS\FONTS\ARIALNBI.TTF
    Filesize

    4.3MB

    MD5

    3f857e95e208adce17047bb83870ca12

    SHA1

    acb8900f069b077d616ebe632dc0a37a123e5ab9

    SHA256

    ce21c3dba9ba89c213c06297541be3f098b7adbc522e8da58064d7c7462443b3

    SHA512

    32f1a55b7782d209bc7fd4ff7a5a4ad2761ed43e1d23f5ea7a12e348dcb8edd5fe653b5a237261210c84acb7e89d29cd088344882146f71c301f52495a864f44

    Download Submit

  • C:\WINDOWS\FONTS\ARIALNI.TTF
    Filesize

    4.3MB

    MD5

    8060b33bfdc5861e907e89e704fceefb

    SHA1

    ed4a28dca0f980d40237cdf56eb42d2360dd88a6

    SHA256

    dc078f181541143cedc49618c68946b481701c4e0a1f95b784bad00265af9f02

    SHA512

    97690482f4ab5a36345f8f6cab83ec1e1ff9b74354cf7c22ceffeab6033a8022db42da2fccf40c478863f4d06e823b383997cdf61ea791f7e5f4b7eca7a758dc

    Download Submit

  • C:\WINDOWS\FONTS\DUBAI-REGULAR.TTF
    Filesize

    4.3MB

    MD5

    c3839573d992ff5a95a2fa3f2318b924

    SHA1

    9a9560bdcf673fdc096e5a57d4e4b0450ee4a3c3

    SHA256

    ec8b76806fda7e7a3ff1320cb5dfa560d3562c2b79e165e9c7aa5aaaf47e6b7a

    SHA512

    82ea7b514edde95e9fbb8aea4711a89e87db57500a670eed1388e53b78dce6490daa6b53346bcb4666630367abc5c4bd80377f88e268aa2688037fd8aefec428

    Download Submit

  • memory/2356-5799-0x000002907E980000-0x000002907E9A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2356-5798-0x000002907E600000-0x000002907E620000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2356-5790-0x000002907E640000-0x000002907E660000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4656-5848-0x000001EFE09E0000-0x000001EFE0A00000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4656-5861-0x000001EFE09A0000-0x000001EFE09C0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4656-5874-0x000001EFE0FB0000-0x000001EFE0FD0000-memory.dmp

    Filesize

    128KB

    Download