Analysis Overview
SHA256
7077ddac62ea1edf3085aa90c7b02d5f5f954dd5b80c9320d50f982c0f266434
Threat Level: Known bad
The file 2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.
Malicious Activity Summary
Gofing
Gofing family
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
Drops desktop.ini file(s)
Drops file in Program Files directory
Unsigned PE
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-15 07:51
Signatures
Gofing family
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-15 07:51
Reported
2025-05-15 07:54
Platform
win10v2004-20250502-en
Max time kernel
61s
Max time network
140s
Command Line
Signatures
Gofing
Gofing family
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\$Recycle.Bin\S-1-5-21-3690492401-2005096563-3427069815-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| IE | 23.216.155.146:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.251.37.35:80 | c.pki.goog | tcp |
Files
C:\Program Files\7-Zip\7z.dll
| MD5 | a6b80f74e4ac9a3bb87c2dd4c2b993ab |
| SHA1 | d0d14f9f1eb53665940b0a12d32cbb00f49af683 |
| SHA256 | b157332c1a88446f5915d51f8b4f5759cf833d6b2751902576cb7d495665d7fc |
| SHA512 | 5d8f36e395e04d26dbe47ca833a3552d077ae32844e2e048b75a1263b8eb4b00a831af0984d06b45a030519fe7bcc9799b04c53938907d02060d000108444fc3 |
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL
| MD5 | 57f77b62c7063af9b4defc0b5b27ba39 |
| SHA1 | c7dbd86cbdc98aa0ba305b90810f4bdfc360a4bb |
| SHA256 | 16c164affec1a2a9c8543778943d3737aae680ca564a0dbdd250f6f354f7292e |
| SHA512 | 3d5eb57f9e31cbdfa8132505d7d19fae1083c3ef3fd3d35f91f307896d0937df54d636aa731e38b6791a1544bca3dcaf495b08af10d946b9a43fe066b4cb8d18 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
| MD5 | eed60bda42d47add8eb7ae99813327a3 |
| SHA1 | 17ad59ac50606beeeee71a06dbe0b592ab77c76f |
| SHA256 | 902eaef6f160c900dbde07009646ba2dc737d0c5de73288941ea1b126b2c68cf |
| SHA512 | 1d5e2fa4f7965a6e8b9dde8482c4bca460a72246cdad95483401f0bd33c94db7ede12765a54de90ecf7dba48fa35667e8af95588a6c022d77277110ec8f86667 |