Analysis

  • max time kernel
    61s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2025, 07:51

General

  • Target

    2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

  • Size

    6.1MB

  • MD5

    72b0ab083a5365b77c915d60c0acb01f

  • SHA1

    32171ba8b978ec6e70da34ecd5a9f034ed967512

  • SHA256

    7077ddac62ea1edf3085aa90c7b02d5f5f954dd5b80c9320d50f982c0f266434

  • SHA512

    572d274fe6aaeee3733bb7e5c4c41e6062ce0407404e2863e3b6219b000df27fb1ac61a9af4893318bb930d237e311896dc332fb1d1e5d9ad83ba57b43dfef84

  • SSDEEP

    98304:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vzn+FILk8hIQGIvo+JOeX3+fG:pWvSDzaxztQVzn+FILk+IQGIv9JOk+fG

Score
10/10

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:4660

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7z.dll

          Filesize

          5.9MB

          MD5

          a6b80f74e4ac9a3bb87c2dd4c2b993ab

          SHA1

          d0d14f9f1eb53665940b0a12d32cbb00f49af683

          SHA256

          b157332c1a88446f5915d51f8b4f5759cf833d6b2751902576cb7d495665d7fc

          SHA512

          5d8f36e395e04d26dbe47ca833a3552d077ae32844e2e048b75a1263b8eb4b00a831af0984d06b45a030519fe7bcc9799b04c53938907d02060d000108444fc3

        • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

          Filesize

          4.4MB

          MD5

          57f77b62c7063af9b4defc0b5b27ba39

          SHA1

          c7dbd86cbdc98aa0ba305b90810f4bdfc360a4bb

          SHA256

          16c164affec1a2a9c8543778943d3737aae680ca564a0dbdd250f6f354f7292e

          SHA512

          3d5eb57f9e31cbdfa8132505d7d19fae1083c3ef3fd3d35f91f307896d0937df54d636aa731e38b6791a1544bca3dcaf495b08af10d946b9a43fe066b4cb8d18

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.8MB

          MD5

          eed60bda42d47add8eb7ae99813327a3

          SHA1

          17ad59ac50606beeeee71a06dbe0b592ab77c76f

          SHA256

          902eaef6f160c900dbde07009646ba2dc737d0c5de73288941ea1b126b2c68cf

          SHA512

          1d5e2fa4f7965a6e8b9dde8482c4bca460a72246cdad95483401f0bd33c94db7ede12765a54de90ecf7dba48fa35667e8af95588a6c022d77277110ec8f86667