General
-
Target
2025-05-18_3f3a1726da6f211d2ae17567d0cba532_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
-
Size
4.2MB
-
Sample
250518-kfpl9sgm5z
-
MD5
3f3a1726da6f211d2ae17567d0cba532
-
SHA1
41884b13ff7ce8a6f9d1877c7e981962dc986ab1
-
SHA256
5dcb200c3b4a6da7a1bca9e9c786476d66cc368ac465f1a1c67c3eb85685833e
-
SHA512
dc6c2f88def035d6ecb8304f140966f3cee1c2ca6a45d2863fed2f112987b29d06ac93f0d552c0e19b27d393b640d875361e92dddb112240a68f816ac22322c9
-
SSDEEP
49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4U:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vq
Behavioral task
behavioral1
Sample
2025-05-18_3f3a1726da6f211d2ae17567d0cba532_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
Resource
win10v2004-20250502-en
Malware Config
Targets
-
-
Target
2025-05-18_3f3a1726da6f211d2ae17567d0cba532_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
-
Size
4.2MB
-
MD5
3f3a1726da6f211d2ae17567d0cba532
-
SHA1
41884b13ff7ce8a6f9d1877c7e981962dc986ab1
-
SHA256
5dcb200c3b4a6da7a1bca9e9c786476d66cc368ac465f1a1c67c3eb85685833e
-
SHA512
dc6c2f88def035d6ecb8304f140966f3cee1c2ca6a45d2863fed2f112987b29d06ac93f0d552c0e19b27d393b640d875361e92dddb112240a68f816ac22322c9
-
SSDEEP
49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4U:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vq
-
Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
-
Gofing family
-
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Drops Chrome extension
-
Drops desktop.ini file(s)
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-