Analysis

  • max time kernel
    150s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2025, 14:46

General

  • Target

    2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    6325b32ae13417a251ffba6407338f39

  • SHA1

    a72e8375a3a8f7dcbf6404f1dea125d5baf9c66f

  • SHA256

    55af40f0064ee81eda1cdbabea8cc7a9e37087674ab518357f5f2455c177693d

  • SHA512

    6f00171805a55a9893c6e2ebf0b3938cf1326fb0ddb690dcec880dde1e49d54edd00291426ae7e382bd739fa18fdf614b9b5b778f4eb78c0965a18c961069f91

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4N:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vr

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
  • Renames multiple (51) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:1884

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7-zip.dll

          Filesize

          4.2MB

          MD5

          372d441b61983a54a1928ce7d7785a5b

          SHA1

          62f2c1435fa3ba6e018e0fe1cb6258d8091c8a27

          SHA256

          003b76dbb887fc1306a5f5a46e209b4be33103bcbcea04016d1c4e82f5fb5f32

          SHA512

          5ffd8df2c98c15bcd9fee4c58f1b4b78039817d7193824840c17a78b48d747790829f0e46a5a419faef7018316a67e81e9c7f18e84dfd5b53efdffca4b6d9383

        • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

          Filesize

          4.4MB

          MD5

          709840003e106cb5d05b19dcbc1b3da8

          SHA1

          270e01a978f355381da5526763931d0bb2f189f6

          SHA256

          572853de4678137c861a942c869b5f0c0713491c6f1f9493f17a4d35935f62c3

          SHA512

          38699bfa5348524e43255837ca8828ab99231f577b7289d806b6cbdf93639129bc2a67cc9b8d922f4ae526c33fbfc845bffaef90ee7f7f28b3aa1430cd9ebed8

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.8MB

          MD5

          43067815f9aec155c6709bc8255ad4c4

          SHA1

          af67f24fe5e51c3e4ba48a794b4fd3bef7eb1cfa

          SHA256

          7e0ec6732d67da139279b218b7d4989816e17ca8070047139b1dc6e437c825f7

          SHA512

          0d16a3815a833f3e9af16b2331a6b6b4dac67709270f50fb93a92dafd8b44bf01a4fc8a4b894c68a40743f22c575c95b68eb72aa39c0f9cd0fda7a9a97d82a4a