Analysis

  • max time kernel
    150s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2025, 13:39

General

  • Target

    2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

  • Size

    4.1MB

  • MD5

    5b9e5a89eb6c7826167c719c5467aa64

  • SHA1

    9826337e2b30831871cde19d23c30d6f2b679756

  • SHA256

    42e2feeb098bd035ccbd01d5bd59d6bdf3af9779d445e70085750479592d7376

  • SHA512

    45f9d4f90617d7b233cae22ef484f6d4834eb4d3c17c46568f12901df86179c6be3c2220eb00eee5d46c25adf4abe5c9e619e009198249d0ab5237ec4e818a12

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4U:ieF+iIAEl1JPz212IhzL+Bzz3dw/VWey

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 8 IoCs
  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 42 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:3540
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4368
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2132

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7-zip32.dll

          Filesize

          4.2MB

          MD5

          d63843be3b7eb1c0e9c2f797ce6414a7

          SHA1

          cf2253d7d63731496b5ab22b4469a874f9e9334a

          SHA256

          5ed9e86468279060f2031e1142b55af88d06c7fe08d4c30194f6100e6812625e

          SHA512

          e21a13d01a6a88c0c3312e6e39cde3e844dba80efb5311d6a1e64751b1086c0486bd9ef37509c57568775a21504266644f373cd28958ecd83aa6fcabd174613c

        • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

          Filesize

          4.4MB

          MD5

          b5c330b48cd86305e4608e8bbdb22405

          SHA1

          8d66fcd8ea478b62ae08d8a3b9cf0919362f167e

          SHA256

          9f4c0af8fe986def4578d4f6809e90f2b4b34fc19cf954ad2aafbe89b29e4abc

          SHA512

          786f8300f5fbb81d220845f329ba944967277f5a8269019852be13975d5a236fb3bfb7a7066cd6100057be9809c50ff802c466fb2edc52d52bfde86136f5314c

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.8MB

          MD5

          920865b6ee3d9d19d0f999f9e6cf6dfa

          SHA1

          913658e599d0b47050f67d6f47360e7be138d818

          SHA256

          5241a0dea78f1001112ca2e909816b35b048544fd5fd3887eaa85531a6984456

          SHA512

          0e0c37e3f2d6985239a3932312ae495e6aaaa160493e6c3725cd09b0d3daf84f31568bbb6d43f9113b71f3d078b840c0a83d4a7155c694945928cdc03c51fa02

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\49DDX0WX\microsoft.windows[1].xml

          Filesize

          97B

          MD5

          88df8fd15df82aa8d53ca7e174dfa66c

          SHA1

          5ecc316c8a22b09f8f64f7c67efe4a0468f07c17

          SHA256

          474966fc1c140c583fdaa26a057798ba409db75d41bd7fab23f2e88c775ae682

          SHA512

          185a748bc1b3633739aed35a6a7e5ab850b5f59b4e37a343ace6c1440452e93a3c1a03cc8cfab0668c7a1d2e5d84613788abee116f9b769cf1240b13d57f8f42

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres

          Filesize

          2KB

          MD5

          8e86cc897eefa3efe721338455517ce7

          SHA1

          416d74aec53ac33ffa31aa15ddfa3f37b6772ebd

          SHA256

          c3e2f9e1319c325a4cee0c1e8066610693d9055c3bcd69d13dd205e64c698828

          SHA512

          f3ae8acec692ee1e04825572cc82ad11952a4108026fed1c05feebc659984fe7185e1826c171699eb789c5803155e5ac9d2d4ca35d3e0432c601e032d0aa4640

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133921357060202460.txt

          Filesize

          14KB

          MD5

          b9a3570135c6cdac61e23a655424bb81

          SHA1

          b25c823b867b820fa34e0d61892c99af1b3db241

          SHA256

          e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

          SHA512

          73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

          Filesize

          11KB

          MD5

          104f81dd974ee6cff12ac932f403f610

          SHA1

          9c5f77a499a2f193f21b61122bc6c297c04787d4

          SHA256

          a255d75f49b42239950fab22206ec9eb2ddf2e9acca3eef2283d899ef6422cba

          SHA512

          abd54847718f2c81372788838c511a85b57b68a1443ae8409f49a1554edaa45badcad1143119ea367c20f52084a05e2af3cc51596932f99e89879a2b9692c7f6

        • C:\WINDOWS\FONTS\ANTQUAB.TTF

          Filesize

          4.3MB

          MD5

          016c2527ac512fc9df181b60cc44e225

          SHA1

          bd7615a0ed811eae178f3d82b8616fdd4e6d5319

          SHA256

          51bec63c3cede56d9a1c246a51d7b31fd438c52ac34117bbdde3325ac0c28bdb

          SHA512

          0c0c62e93a271e2ac65d77f3dc4409213a6678ff8c1d4c05e031864d2ae0f2eb12e6acb785691f477ae69bdbbf090246023dd92bf3e409fa77661978fd4168bc

        • C:\WINDOWS\FONTS\ANTQUABI.TTF

          Filesize

          4.3MB

          MD5

          576a08d7c69df02f3dd2157298188c94

          SHA1

          11a42e049f239be21c034c7b9272cb7fb29dc367

          SHA256

          f296e29a88b7031620f85690667deb9eb60da1632af27478a0d99b5d2fc352af

          SHA512

          9beae9e8e327af18ce9df58bec30e2e4c21fb413734c85866f72cad7f6a67036b85b8e56611001cc3c32815aabdf1c75b1e502bec17ea52325cc4502a4f54633

        • C:\WINDOWS\FONTS\ANTQUAI.TTF

          Filesize

          4.2MB

          MD5

          877f4ff55df1279859a915784e9c1494

          SHA1

          30b03e3dac3f57a0b376c465ca94991ffe052746

          SHA256

          46b345683ee524fbac5d47c7bf8e88b2c9cf899bf0045252d00df8224b725bd8

          SHA512

          8c77127a73246346e0f2240655ac6de7905e28457b65449448e24b71ce9368d7a55731933102b75c74282b6ef69a9f821c3c281ce54699a77fbd3749656baed6

        • C:\WINDOWS\FONTS\ARIALN.TTF

          Filesize

          4.3MB

          MD5

          423978fb826c3fc0c41db0fba4ff454e

          SHA1

          09d9ac847811fe226552c58ec5ed93b092f2c79b

          SHA256

          3a3e00d087237d33ccce31f5cd256e939c210250ebe153ffd140aef3bf3bbfd3

          SHA512

          fbdd99c17ca49b6908cee7386e7c76b5916304a91ecd2bc8f9be57747a3bc44a651f957f61e7353ea74435463ad23908744ee922ac40adc9c8c6c79230772ab3

        • C:\WINDOWS\FONTS\FREESCPT.TTF

          Filesize

          4.2MB

          MD5

          6c9652ed58486ed708ec83779d14d245

          SHA1

          e93d86dc4c1d0485723b0367321fb93c9d4dbf21

          SHA256

          cc65d30034e37d0d5d68a84016e9fd28da699c372d9b2514098883d8440a2668

          SHA512

          4747a82d74dace44e3ce45c179838a1cc245d7aeefa7d7079ed45207d35086eb331d0c7601175a7b21925ef99b85554dc3137d2f0ab274e5a52c300c71d881e7

        • memory/2132-5885-0x000001603A300000-0x000001603A400000-memory.dmp

          Filesize

          1024KB

        • memory/2132-5884-0x000001603A300000-0x000001603A400000-memory.dmp

          Filesize

          1024KB

        • memory/2132-5889-0x000001603BB90000-0x000001603BBB0000-memory.dmp

          Filesize

          128KB

        • memory/2132-5894-0x000001603BF60000-0x000001603BF80000-memory.dmp

          Filesize

          128KB

        • memory/2132-5893-0x000001603BB50000-0x000001603BB70000-memory.dmp

          Filesize

          128KB

        • memory/4368-5842-0x0000021113A20000-0x0000021113A40000-memory.dmp

          Filesize

          128KB

        • memory/4368-5841-0x0000021113690000-0x00000211136B0000-memory.dmp

          Filesize

          128KB

        • memory/4368-5833-0x00000211136D0000-0x00000211136F0000-memory.dmp

          Filesize

          128KB