Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2025, 07:44

General

  • Target

    2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

  • Size

    4.1MB

  • MD5

    f3ed9cd9921dfa3797fdd934bd8ac588

  • SHA1

    0fa86de71b5db72945d23335ac0f2d0ed93c49dd

  • SHA256

    b483a3149d98dc85a6bb102b1b7d77531a256cc92b811e8ee7aca50c99fe3d09

  • SHA512

    cd7b1d6246bdaeb662400fc9bbb8563b21ce7c063f188ebb9c20c1d87baad4fc09fad3821f0246100b517909a6a41ad63e506cce355845059ae61870d7adb701

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4+:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vc

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:3956

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7z.dll

          Filesize

          5.9MB

          MD5

          2a694c16a9f0795295831379543e0154

          SHA1

          cc3dc6c88b8d0758049adbd6356e0d33ad524d68

          SHA256

          393aaafeb5c1453cc3decf4dfe8705b3aef2d37930406349c48f0a4af7593f2a

          SHA512

          5b5b74f21d6096b35ec3582f33e2cbfbae47bfb73f007033873325362bfba3b24b9ace620d7943956f1a44b8d4a842cc5db6cf26f317cd01944d726bc01dfa59

        • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

          Filesize

          4.4MB

          MD5

          c70ad79b7ce60e25d0c5c75d9b141d6b

          SHA1

          e1edb1f9a3c33634c552499f16e4e82f30387bbc

          SHA256

          4b58c30f721db0548de93247c27bc63fa12624804d3eb97de337b9853c70963e

          SHA512

          dd67a1c844c7ba84284c06752bca565c6e11cfb151bf655b7683e56d843d86391569c2beeb97962ff54a6570cbd26e6c9e5570f77ff6805b1463eeecaeb2b62b

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.8MB

          MD5

          a8d93764571aa77d035fc43b22518eec

          SHA1

          05c0ef8eb1b93a7b3a4e436c11d623f05a05743f

          SHA256

          d21a77b340bafa2955215828d2cdca0f403488f45c73765de36527dfc2e5288a

          SHA512

          2a26774b831cb183f8497e5d1df93ed6fadd2ee363b063405069beb3701e1601fce42b8c86980989b674d1565eea19ebf7af2613279fd1d5fd76268134fc4f68