Analysis

  • max time kernel
    150s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2025, 15:17

General

  • Target

    2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    d45f2d54c7deef223cec2c0029b5662c

  • SHA1

    a0504496905a1e6e216ad44ca2eb1d5bee669473

  • SHA256

    c4a65a85a3a3980a1d2c4315b9e71d4fb8ee38e52bf1e444b02433304e0bf802

  • SHA512

    1bc82469a356c218a0020303320dd2c6601c9422f60d7fac3792f747236b736d04c37c5a34502b44ba9140047eef972b5eeea0baa261040ec23b6f722fbd029c

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q43:ieF+iIAEl1JPz212IhzL+Bzz3dw/VNPX

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 2 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:1528

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7-zip32.dll

          Filesize

          4.2MB

          MD5

          4bf483f28d22c3a849c6e18431d6a83c

          SHA1

          4f77674b6a337e2f98913bed6045c6ab1f18dbc3

          SHA256

          c58a6175c32a17574340551d508c4cfe7df3e6d58693890ad2562f26d4f1a618

          SHA512

          85c07bb4d424b3112b9f409ebe985dd037309e20663c5aa71f78812fab9a97dbaf34ca948351130e120325bf0efbeaf5a10ca1b97d26eb4ebac2c2bf6f6458ab

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.8MB

          MD5

          debe09b8490ee7d9fd7bac108b8c7ff4

          SHA1

          483f1d8de2aee598f2e39ad40e578873fe705405

          SHA256

          91beb91b5355342ceb6ea6641225cba670c98e0c67c7d586c307757ed79a4f5a

          SHA512

          7b39291e5b1204ebf1ce06c159a547bb45ead67c00f9266c4fdacfc740a21f5623ac3f32d3f7a75ec6022923c97e75d5dd9cc93b3e08a3e29bf200dfd746c02d