Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2025, 15:05

General

  • Target

    2025-05-03_1c439336a5e9d2fbef84383f8821d929_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    1c439336a5e9d2fbef84383f8821d929

  • SHA1

    43c68539b3d8ce54e561cf85fcd631cc3f6f58bd

  • SHA256

    2d544966d384b82c146270b0c72c3f2ebd074935bf09d058b4ae055e9b87e86e

  • SHA512

    0f760c1762fefbb4164802ace4a6b9525f25cfdeda933e7df61f05e9665d39965acb25228244709dedf60e6741f43fa7d969227ded852dd37447fa7b4799442f

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4b:ieF+iIAEl1JPz212IhzL+Bzz3dw/VQC

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-03_1c439336a5e9d2fbef84383f8821d929_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-03_1c439336a5e9d2fbef84383f8821d929_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:1076

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7-zip32.dll

          Filesize

          4.2MB

          MD5

          c0fcf8bd12e49c40e54c619516eb02bd

          SHA1

          5d97a0336e04b93e66ede6434216ede092f7662a

          SHA256

          610b6393d5fc6247587f9acd53c6d5469c8453371ada1f41cb229b4e070ddc99

          SHA512

          e53ddf5382f421481789b68fa7a080d09bbb01766c44a20463bba41dae90f472fc4f943f94ae305546c9454e8bfab83a9ed5616d137491f3566a90b0eb6845f7

        • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

          Filesize

          4.4MB

          MD5

          2014b359785b094ef6bc7e96347d3a1c

          SHA1

          a25519fc19a746f8134a0f16543268cf585ab976

          SHA256

          0a888ead594fe9e69d3a76ae87e58713acf44e1347be58b470153d951862987f

          SHA512

          d66e64a7914dcb04884a867f4ee77fda079ff659c45f56a7b0119c6d84255980618324b8bcb13e209eda7bb96294cb409e97c355321e6c8b399146cbdff4c4d5

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.8MB

          MD5

          3d6dad3a05b7c0bd5a5939fdbbc844ea

          SHA1

          f2ae7461d2bbd39f4c5ce7f2570ede370b19e161

          SHA256

          d24941dd6d03f4b3b439242d3d1881ca5034db65769f40ff47c4973843680c9f

          SHA512

          5c5401d85b0a4b30ade42629a9dddc907f2a8a3b01fc0308c0330a5fcaa9e3e14512f3a085ed4113a23a3b46c2932aa655c0b3bc2138c886ffa09350d47e4a2c