General

  • Target

    2025-05-18_e860b739826383d24b2448c9f28f3eaa_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch

  • Size

    4.2MB

  • Sample

    250518-kxm5rshj6s

  • MD5

    e860b739826383d24b2448c9f28f3eaa

  • SHA1

    ef7489e1010ea8f58b1cfdf1f966decf05c54b3c

  • SHA256

    453d518475f2dd486f9501aac6ba7cce4a76c2e22532e87207b72013f1d22b79

  • SHA512

    e9856eff0115f690b273d5b358b0c9739454fcf0fc60c9d0e64f1f217f0d1e4e58e7406277ca97d967ee8252ff62e0438ca4b7f37f6d15280c7a9f02d2569378

  • SSDEEP

    98304:ieF+iIAEl1JPz212IhzL+Bzz3dw/VRF1sr:pWvSDzaxztQVY

Malware Config

Targets

    • Target

      2025-05-18_e860b739826383d24b2448c9f28f3eaa_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch

    • Size

      4.2MB

    • MD5

      e860b739826383d24b2448c9f28f3eaa

    • SHA1

      ef7489e1010ea8f58b1cfdf1f966decf05c54b3c

    • SHA256

      453d518475f2dd486f9501aac6ba7cce4a76c2e22532e87207b72013f1d22b79

    • SHA512

      e9856eff0115f690b273d5b358b0c9739454fcf0fc60c9d0e64f1f217f0d1e4e58e7406277ca97d967ee8252ff62e0438ca4b7f37f6d15280c7a9f02d2569378

    • SSDEEP

      98304:ieF+iIAEl1JPz212IhzL+Bzz3dw/VRF1sr:pWvSDzaxztQVY

    • Gofing

      Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    • Gofing family

    • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks