Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2025, 10:07

General

  • Target

    2025-05-02_5d951c92968ca21da3bf552e5841d5f2_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    5.9MB

  • MD5

    5d951c92968ca21da3bf552e5841d5f2

  • SHA1

    d6090761782d0597eb2e0b139e5211aead020d03

  • SHA256

    78b0a0f2ba9434a0c5fbadf2026f7f354f1b1a78992c8187963f6689d3817c02

  • SHA512

    b29c340aa00e3a2fa394f87229586404a1051186ff403d0ba79ab7e7cfc358b0f64637ac524f019dea7d48321a9f8db5d5eed4ab0260454473bf9db7ee008852

  • SSDEEP

    98304:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vw0lHPuo3lO55Ga8KM:pWvSDzaxztQVwWHmo3lO5oa8D

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
  • Renames multiple (52) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-02_5d951c92968ca21da3bf552e5841d5f2_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-02_5d951c92968ca21da3bf552e5841d5f2_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:6072

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7-zip32.dll

          Filesize

          4.2MB

          MD5

          6ef6a3830a6729ab9f620785a843e49f

          SHA1

          54f39a1d0dc32b6eaaaa6f931f7f9bbcf3e06c06

          SHA256

          66dc93daca350cf4381a473c4e31a3dd4df515766205ad9cebe461e4e12e58c4

          SHA512

          6ebeeb7b6bd69ac6867695c002e0b8245d0bec55934947905d53958d2aace48f3d16e0aaa1d69457b5a1ddeec6d301981bc9bdd1b24196fca6e7108e512fa2b8

        • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

          Filesize

          4.4MB

          MD5

          587f2836341f341971b2ed6fce765eaa

          SHA1

          d3a9d2a8d9f2e506640547ebee254269c2685148

          SHA256

          81ab89211535fa83d0a478311c2fc4f430936aff3456d9b66ee5344865834274

          SHA512

          10a623ffaa51f929fb1f69229a99630ae1845152cd08b810bbcf6c6b0866f91235a3e9d749bb8bca5811e5ca04ceedb05d15c43054af33ec2c7925df8dbb601f

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.8MB

          MD5

          2b5fe291adec8a3e4b22d8e88c0a1c5f

          SHA1

          968b6a02d93345cc7d329701203f688dcb45dae6

          SHA256

          62786e48db8e2b8c44ca778eeced3c331797e26f48072b0ca7a6c8e0ef31ea9c

          SHA512

          e6ddde91e078a71b842f73f3cd95b693db7d4a4bdf3901e48781d129a21af68e13c5789c1a9f94a407630eda10e8095b07d0bafa3ed21a427ccb05545f416380