General
-
Target
2025-05-02_137b0e48d7a87cc2a01e093b1ccf4cf4_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
-
Size
5.4MB
-
Sample
250502-pnty6sz1ht
-
MD5
137b0e48d7a87cc2a01e093b1ccf4cf4
-
SHA1
f087b4f4f47faacc26a7ca0e52b9d44238c7551f
-
SHA256
893571ecf7773a59d9c365a26a7d0f3b6ba39bc7a2c492d692fa96ec48050a70
-
SHA512
a141b89d9dd2c22a86f170470381edea3f38c81b6bae3ce54d431935d6aa7e005278a97fbd6b7cdf54cfd7fa963e59fd1d0f21b866debdee04db2b0e3c6c0ecd
-
SSDEEP
98304:ieF+iIAEl1JPz212IhzL+Bzz3dw/V0WMPg8EkPK:pWvSDzaxztQVHMo8bPK
Behavioral task
behavioral1
Sample
2025-05-02_137b0e48d7a87cc2a01e093b1ccf4cf4_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
2025-05-02_137b0e48d7a87cc2a01e093b1ccf4cf4_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Resource
win11-20250410-en
Malware Config
Targets
-
-
Target
2025-05-02_137b0e48d7a87cc2a01e093b1ccf4cf4_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
-
Size
5.4MB
-
MD5
137b0e48d7a87cc2a01e093b1ccf4cf4
-
SHA1
f087b4f4f47faacc26a7ca0e52b9d44238c7551f
-
SHA256
893571ecf7773a59d9c365a26a7d0f3b6ba39bc7a2c492d692fa96ec48050a70
-
SHA512
a141b89d9dd2c22a86f170470381edea3f38c81b6bae3ce54d431935d6aa7e005278a97fbd6b7cdf54cfd7fa963e59fd1d0f21b866debdee04db2b0e3c6c0ecd
-
SSDEEP
98304:ieF+iIAEl1JPz212IhzL+Bzz3dw/V0WMPg8EkPK:pWvSDzaxztQVHMo8bPK
-
Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
-
Gofing family
-
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
-
Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops Chrome extension
-
Drops desktop.ini file(s)
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-