General

  • Target

    2025-05-18_50802a6174a06b76a1b061c723893f08_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch

  • Size

    4.3MB

  • Sample

    250518-skj7catqs8

  • MD5

    50802a6174a06b76a1b061c723893f08

  • SHA1

    1c2937a5b2748cf93844311e59a5f09fd19e4ba0

  • SHA256

    be11516d9805d48febfb260faed933d24bd4aef85dfa949e95702195888a8f99

  • SHA512

    2059e7fb5aab6707f400891280c53e4324b4fe82871f880daf3826596e50a858574f6d90d37dbcc25d116738c787efb87ee0b19665baab85cf5c99a4616f53cf

  • SSDEEP

    98304:ieF+iIAEl1JPz212IhzL+Bzz3dw/VJuj/rG:pWvSDzaxztQVJuj/rG

Malware Config

Targets

    • Target

      2025-05-18_50802a6174a06b76a1b061c723893f08_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch

    • Size

      4.3MB

    • MD5

      50802a6174a06b76a1b061c723893f08

    • SHA1

      1c2937a5b2748cf93844311e59a5f09fd19e4ba0

    • SHA256

      be11516d9805d48febfb260faed933d24bd4aef85dfa949e95702195888a8f99

    • SHA512

      2059e7fb5aab6707f400891280c53e4324b4fe82871f880daf3826596e50a858574f6d90d37dbcc25d116738c787efb87ee0b19665baab85cf5c99a4616f53cf

    • SSDEEP

      98304:ieF+iIAEl1JPz212IhzL+Bzz3dw/VJuj/rG:pWvSDzaxztQVJuj/rG

    • Gofing

      Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    • Gofing family

    • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    • Renames multiple (52) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks