General

  • Target

    2025-05-18_fb93c16313c9182163af269bdd1c4053_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch

  • Size

    4.1MB

  • Sample

    250518-sljxzafm8t

  • MD5

    fb93c16313c9182163af269bdd1c4053

  • SHA1

    517dfc94a6712d6cb8b23905079743a0353f9e5c

  • SHA256

    b1bda9a6aa6b8ee94dc7f0f55c77a16263a538c8b639ee8f2b1d39549f782064

  • SHA512

    c6c39bb414233ea914672848e2390696c83e18adb8df79256c98aafbb10f55d592f2eb4cc64be7eb0bb41a74adf75daea071457a27752e675d870b6528231d79

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4/:ieF+iIAEl1JPz212IhzL+Bzz3dw/V9

Malware Config

Targets

    • Target

      2025-05-18_fb93c16313c9182163af269bdd1c4053_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch

    • Size

      4.1MB

    • MD5

      fb93c16313c9182163af269bdd1c4053

    • SHA1

      517dfc94a6712d6cb8b23905079743a0353f9e5c

    • SHA256

      b1bda9a6aa6b8ee94dc7f0f55c77a16263a538c8b639ee8f2b1d39549f782064

    • SHA512

      c6c39bb414233ea914672848e2390696c83e18adb8df79256c98aafbb10f55d592f2eb4cc64be7eb0bb41a74adf75daea071457a27752e675d870b6528231d79

    • SSDEEP

      49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4/:ieF+iIAEl1JPz212IhzL+Bzz3dw/V9

    • Gofing

      Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    • Gofing family

    • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks