Analysis

  • max time kernel
    87s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15/05/2025, 07:54

General

  • Target

    2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

  • Size

    4.1MB

  • MD5

    f6e9a38590df744d7c6dd4e69c357acd

  • SHA1

    344566d5a0ee9dcd6afe9706e50c4d600aa11727

  • SHA256

    2b1980613cda2c73b223c47750879d1c35f0a4cdb95311be6e923834bcec2106

  • SHA512

    97f44b2f7d8181811e4f0419e4e97b8ce0ce5a60170873490e142b0c393b6e5b2cc17c043e858608c5cd50f036132d26c22d59f69c736dd85719ea12e46b5611

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q49:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vj

Score
10/10

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 2 IoCs
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:3000

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7z.dll

          Filesize

          5.9MB

          MD5

          02097387de84e0e94ea40e73184d4056

          SHA1

          a5533cf207ed0b75c9cac932c0951893b713c41a

          SHA256

          4cf2c96aa5f917d10e4fa147e16a1d285f2865eb033685e680c5c30a479a9bd6

          SHA512

          d2ec55d0083a925b95248ebcc62e556a523e94188f875b419b89e3bec923c1ab6a70e22ee311edbdf88e13b346ce8a0437f9f9e04bd19c0a48608644c2dad3e2

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.8MB

          MD5

          eeb4e4d98dd990bb085f1a89202fd024

          SHA1

          16f0dd95388f9bdb5668d92d2ed63cfa53b59452

          SHA256

          b6f4bf00d47601884c0e86a6736d09f773d55baf79b3827ee6021a13af870330

          SHA512

          c42b6243f04d4f7f917f2b125f8867b816fad5f2f17e2042bdcdfea95c418274d555daa46a6684958cc38f14d41e150122b67af030a724300a2a358bba6f85ad