Analysis

  • max time kernel
    86s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2025, 07:54

General

  • Target

    2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

  • Size

    4.1MB

  • MD5

    f6e9a38590df744d7c6dd4e69c357acd

  • SHA1

    344566d5a0ee9dcd6afe9706e50c4d600aa11727

  • SHA256

    2b1980613cda2c73b223c47750879d1c35f0a4cdb95311be6e923834bcec2106

  • SHA512

    97f44b2f7d8181811e4f0419e4e97b8ce0ce5a60170873490e142b0c393b6e5b2cc17c043e858608c5cd50f036132d26c22d59f69c736dd85719ea12e46b5611

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q49:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vj

Score
10/10

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 1 IoCs
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:4444
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
      PID:3600
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:1232

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\7-Zip\7-zip.dll

              Filesize

              4.2MB

              MD5

              e395c2de6d5edf0c9915d8da3044f523

              SHA1

              947c7cf6d0579f15b09490a117f5e240bbf8a50b

              SHA256

              c43fd23d990571cac175db0637f4fae91c5700491c7311ea1393492dae06751a

              SHA512

              5be216937cd6f1d7822e9fbceeb89f194977afb4ce903b1d801910c70cd6da0eb42ca13e86d4d0d184d7380b412f1a1948889b0ab7c4d49a339a2d49ea702e7e

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HXMWSROC\microsoft.windows[1].xml

              Filesize

              97B

              MD5

              072d508c8a0d2689525f2eea4dce6ff9

              SHA1

              0db1ed4dab098837a2fb4cd59f8a482f295d4e23

              SHA256

              7d512f9f27854c85bd52bf5e038329366a7fb545752e7b846061a9854efd1b8f

              SHA512

              c68e44da7cbe5992c874c9bd876ecfb934728fe971cd5d6021c3303fbbabe976ec53d09a454a359341a2fb9f6f921edc7885a5bc59f8d8edcc70c1389d97b9a4

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres

              Filesize

              2KB

              MD5

              031a1d1d0d75e1a0018b9e2c7c80d609

              SHA1

              9edfae47b2b1b7c75fe5914ab0f8f3e241a58e6a

              SHA256

              21b39aab0df5acc1484798308042151496ebaa266a9d2baf1975502275628c8a

              SHA512

              09b04fa89e79df4c65ca68956ed8d4727d7bd0a1fb07fea2b20c10f2ec6bd29a3e3aedda0ef5a23ae327ef17725b30b2713cbf62fd0f8b60e15a7a7052820735

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133917693859259173.txt

              Filesize

              14KB

              MD5

              b9a3570135c6cdac61e23a655424bb81

              SHA1

              b25c823b867b820fa34e0d61892c99af1b3db241

              SHA256

              e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

              SHA512

              73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

              Filesize

              287KB

              MD5

              08fd76fcc814c28dfd328c2ae9bec105

              SHA1

              0cfc99361ff187489d4e4d1873c32d92886d1d53

              SHA256

              e1cda8074d742600eb80a4da0c94186de5aede64ba89e3ee748ebde4f0eb4806

              SHA512

              bf840a06050badb35ea4e81bbd2d7665785717524033f9c8b093d5cfc690fcd473824e53fdf292314381271886d06e14a3d5ce44db2479e84cb7dd75bd5204d8

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

              Filesize

              12KB

              MD5

              585d59e56728fdeb3389e4fb7cd6bc3b

              SHA1

              bb169c6ec156a09bb60dc354958cd6cb3dd46090

              SHA256

              b16aa654cb4f6d1111954f861e1c2ff9ff2e97a4f5e9bed6ff3ae4cf9c1ac828

              SHA512

              212de690d347865bfbd5aebcae465b6eac5187013a9fe0b07e0275bf58e6f25d29b981c20a06ed894c2d3203090f51250e414b4b4dde7ede1f523670c3822665

            • C:\WINDOWS\FONTS\BKANT.TTF

              Filesize

              694KB

              MD5

              8ba77f00099edec326563d0f456dfee8

              SHA1

              ba094a8fd9284be093a3970bf77f7f31b76f23d6

              SHA256

              98e907e4ea98a4a094b075bac860f2f9be2ef1e6a832ff62a006ac451849f3f7

              SHA512

              bf89aecca85b410011844cc2f1cd20d5afe01eab54e80c23ecff0c27977411a71cf3da7540888bd6d6e621e6fb04e397490a1f76ae25a8f16f6b12bcc81de20e

            • C:\WINDOWS\FONTS\MTEXTRA.TTF

              Filesize

              829KB

              MD5

              a207e1444147aa44ce159d1d3bf225f7

              SHA1

              381e5f421ef3de109acd7e70a391622f6602c5a9

              SHA256

              0dbf5b430983c09aa2f6b964808e4217608489f480aec6a1819a25d50994b474

              SHA512

              30a1b8810648f42163f3dd07bc971f33946266d70f2816a32b6dc24fe4bce0414dbe809405d78a6d212e106ca5cb31e8f94e0e9911f909dbf45af595c63fb4a5

            • memory/1232-5802-0x00000255E8C00000-0x00000255E8C20000-memory.dmp

              Filesize

              128KB

            • memory/1232-5824-0x00000255E9010000-0x00000255E9030000-memory.dmp

              Filesize

              128KB

            • memory/1232-5788-0x0000024DE6900000-0x0000024DE6A00000-memory.dmp

              Filesize

              1024KB

            • memory/1232-5793-0x00000255E8C40000-0x00000255E8C60000-memory.dmp

              Filesize

              128KB

            • memory/1232-5787-0x0000024DE6900000-0x0000024DE6A00000-memory.dmp

              Filesize

              1024KB

            • memory/3600-5758-0x000001AEA75E0000-0x000001AEA7600000-memory.dmp

              Filesize

              128KB

            • memory/3600-5750-0x000001AEA7820000-0x000001AEA7840000-memory.dmp

              Filesize

              128KB

            • memory/3600-5759-0x000001AEA7B70000-0x000001AEA7B90000-memory.dmp

              Filesize

              128KB