Analysis Overview
SHA256
2b1980613cda2c73b223c47750879d1c35f0a4cdb95311be6e923834bcec2106
Threat Level: Known bad
The file 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.
Malicious Activity Summary
Gofing
Gofing family
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
Drops desktop.ini file(s)
Drops file in Program Files directory
Unsigned PE
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-15 07:54
Signatures
Gofing family
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-15 07:54
Reported
2025-05-15 07:57
Platform
win10v2004-20250502-en
Max time kernel
86s
Max time network
144s
Command Line
Signatures
Gofing
Gofing family
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.251.37.35:80 | c.pki.goog | tcp |
Files
C:\Program Files\7-Zip\7-zip.dll
| MD5 | e395c2de6d5edf0c9915d8da3044f523 |
| SHA1 | 947c7cf6d0579f15b09490a117f5e240bbf8a50b |
| SHA256 | c43fd23d990571cac175db0637f4fae91c5700491c7311ea1393492dae06751a |
| SHA512 | 5be216937cd6f1d7822e9fbceeb89f194977afb4ce903b1d801910c70cd6da0eb42ca13e86d4d0d184d7380b412f1a1948889b0ab7c4d49a339a2d49ea702e7e |
memory/3600-5750-0x000001AEA7820000-0x000001AEA7840000-memory.dmp
memory/3600-5759-0x000001AEA7B70000-0x000001AEA7B90000-memory.dmp
memory/3600-5758-0x000001AEA75E0000-0x000001AEA7600000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HXMWSROC\microsoft.windows[1].xml
| MD5 | 072d508c8a0d2689525f2eea4dce6ff9 |
| SHA1 | 0db1ed4dab098837a2fb4cd59f8a482f295d4e23 |
| SHA256 | 7d512f9f27854c85bd52bf5e038329366a7fb545752e7b846061a9854efd1b8f |
| SHA512 | c68e44da7cbe5992c874c9bd876ecfb934728fe971cd5d6021c3303fbbabe976ec53d09a454a359341a2fb9f6f921edc7885a5bc59f8d8edcc70c1389d97b9a4 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
| MD5 | 585d59e56728fdeb3389e4fb7cd6bc3b |
| SHA1 | bb169c6ec156a09bb60dc354958cd6cb3dd46090 |
| SHA256 | b16aa654cb4f6d1111954f861e1c2ff9ff2e97a4f5e9bed6ff3ae4cf9c1ac828 |
| SHA512 | 212de690d347865bfbd5aebcae465b6eac5187013a9fe0b07e0275bf58e6f25d29b981c20a06ed894c2d3203090f51250e414b4b4dde7ede1f523670c3822665 |
C:\WINDOWS\FONTS\MTEXTRA.TTF
| MD5 | a207e1444147aa44ce159d1d3bf225f7 |
| SHA1 | 381e5f421ef3de109acd7e70a391622f6602c5a9 |
| SHA256 | 0dbf5b430983c09aa2f6b964808e4217608489f480aec6a1819a25d50994b474 |
| SHA512 | 30a1b8810648f42163f3dd07bc971f33946266d70f2816a32b6dc24fe4bce0414dbe809405d78a6d212e106ca5cb31e8f94e0e9911f909dbf45af595c63fb4a5 |
C:\WINDOWS\FONTS\BKANT.TTF
| MD5 | 8ba77f00099edec326563d0f456dfee8 |
| SHA1 | ba094a8fd9284be093a3970bf77f7f31b76f23d6 |
| SHA256 | 98e907e4ea98a4a094b075bac860f2f9be2ef1e6a832ff62a006ac451849f3f7 |
| SHA512 | bf89aecca85b410011844cc2f1cd20d5afe01eab54e80c23ecff0c27977411a71cf3da7540888bd6d6e621e6fb04e397490a1f76ae25a8f16f6b12bcc81de20e |
memory/1232-5793-0x00000255E8C40000-0x00000255E8C60000-memory.dmp
memory/1232-5802-0x00000255E8C00000-0x00000255E8C20000-memory.dmp
memory/1232-5824-0x00000255E9010000-0x00000255E9030000-memory.dmp
memory/1232-5788-0x0000024DE6900000-0x0000024DE6A00000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres
| MD5 | 031a1d1d0d75e1a0018b9e2c7c80d609 |
| SHA1 | 9edfae47b2b1b7c75fe5914ab0f8f3e241a58e6a |
| SHA256 | 21b39aab0df5acc1484798308042151496ebaa266a9d2baf1975502275628c8a |
| SHA512 | 09b04fa89e79df4c65ca68956ed8d4727d7bd0a1fb07fea2b20c10f2ec6bd29a3e3aedda0ef5a23ae327ef17725b30b2713cbf62fd0f8b60e15a7a7052820735 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133917693859259173.txt
| MD5 | b9a3570135c6cdac61e23a655424bb81 |
| SHA1 | b25c823b867b820fa34e0d61892c99af1b3db241 |
| SHA256 | e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6 |
| SHA512 | 73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0 |
memory/1232-5787-0x0000024DE6900000-0x0000024DE6A00000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json
| MD5 | 08fd76fcc814c28dfd328c2ae9bec105 |
| SHA1 | 0cfc99361ff187489d4e4d1873c32d92886d1d53 |
| SHA256 | e1cda8074d742600eb80a4da0c94186de5aede64ba89e3ee748ebde4f0eb4806 |
| SHA512 | bf840a06050badb35ea4e81bbd2d7665785717524033f9c8b093d5cfc690fcd473824e53fdf292314381271886d06e14a3d5ce44db2479e84cb7dd75bd5204d8 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-15 07:54
Reported
2025-05-15 07:57
Platform
win11-20250502-en
Max time kernel
87s
Max time network
103s
Command Line
Signatures
Gofing
Gofing family
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\$Recycle.Bin\S-1-5-21-3518521428-3897247806-4080064211-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"
Network
Files
C:\Program Files\7-Zip\7z.dll
| MD5 | 02097387de84e0e94ea40e73184d4056 |
| SHA1 | a5533cf207ed0b75c9cac932c0951893b713c41a |
| SHA256 | 4cf2c96aa5f917d10e4fa147e16a1d285f2865eb033685e680c5c30a479a9bd6 |
| SHA512 | d2ec55d0083a925b95248ebcc62e556a523e94188f875b419b89e3bec923c1ab6a70e22ee311edbdf88e13b346ce8a0437f9f9e04bd19c0a48608644c2dad3e2 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
| MD5 | eeb4e4d98dd990bb085f1a89202fd024 |
| SHA1 | 16f0dd95388f9bdb5668d92d2ed63cfa53b59452 |
| SHA256 | b6f4bf00d47601884c0e86a6736d09f773d55baf79b3827ee6021a13af870330 |
| SHA512 | c42b6243f04d4f7f917f2b125f8867b816fad5f2f17e2042bdcdfea95c418274d555daa46a6684958cc38f14d41e150122b67af030a724300a2a358bba6f85ad |