General

  • Target

    2025-05-18_bc2ec81ccaaed2105aac15d85eb63574_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch

  • Size

    4.1MB

  • Sample

    250518-sjwhzsfm5s

  • MD5

    bc2ec81ccaaed2105aac15d85eb63574

  • SHA1

    83547f6a816454863ff1925d40626f8cf6a283d9

  • SHA256

    ecdcb5696aca5bae223c62c1e683e932914e33d73462fa02d5b5e6382313e86b

  • SHA512

    a12fb719ae7f35bbd88e34282aee07ae57458534e3c8122101f340530a23415700ad49c6c6eaf146aa3462f918ec40f6f634b94ba3c503760be15bebf6c06157

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4q:ieF+iIAEl1JPz212IhzL+Bzz3dw/VQ

Malware Config

Targets

    • Target

      2025-05-18_bc2ec81ccaaed2105aac15d85eb63574_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch

    • Size

      4.1MB

    • MD5

      bc2ec81ccaaed2105aac15d85eb63574

    • SHA1

      83547f6a816454863ff1925d40626f8cf6a283d9

    • SHA256

      ecdcb5696aca5bae223c62c1e683e932914e33d73462fa02d5b5e6382313e86b

    • SHA512

      a12fb719ae7f35bbd88e34282aee07ae57458534e3c8122101f340530a23415700ad49c6c6eaf146aa3462f918ec40f6f634b94ba3c503760be15bebf6c06157

    • SSDEEP

      49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4q:ieF+iIAEl1JPz212IhzL+Bzz3dw/VQ

    • Gofing

      Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    • Gofing family

    • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks