Analysis Overview
SHA256
70d289cf197d637a1a93a979de56cf776622993a827feb74ac139f15ba2d8985
Threat Level: Known bad
The file 2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.
Malicious Activity Summary
Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
Gofing family
Renames multiple (52) files with added filename extension
Manipulates Digital Signatures
Drops file in Drivers directory
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Drops Chrome extension
Drops desktop.ini file(s)
Drops autorun.inf file
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Browser Information Discovery
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-19 14:05
Signatures
Gofing family
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-19 14:05
Reported
2025-05-19 14:07
Platform
win11-20250502-en
Max time kernel
145s
Max time network
102s
Command Line
Signatures
Gofing
Gofing family
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Renames multiple (52) files with added filename extension
Drops file in Drivers directory
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Windows\SysWOW64\wintrust.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
Reads user/profile data of web browsers
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
Drops desktop.ini file(s)
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Browser Information Discovery
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"
Network
Files
C:\Program Files\7-Zip\7z.dll
| MD5 | b714a1750d204d0a7e09fed3e52cd607 |
| SHA1 | b502d99d7d4b87ed61d59de28e646136c4675556 |
| SHA256 | 38d6da4752aace0211ba266133b799751ccc02cc08abc5a27b0207bae5eafbfd |
| SHA512 | 2ed32a88a49f3740b2e6fa7b489275223cea2c4926223b33312eeeccf0e1f86b3fcc700d119fa5370ff4421aa2236cb565a0ce74d0b8b70e3f3d9daa733b4c16 |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-19 14:05
Reported
2025-05-19 14:07
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
138s
Command Line
Signatures
Gofing
Gofing family
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Windows\SysWOW64\wintrust.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
Drops desktop.ini file(s)
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe | N/A |
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Browser Information Discovery
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-19_7bbc90bb762b031f62f1a56871a6a5ce_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 88.221.24.89:443 | www.bing.com | tcp |
| NL | 88.221.24.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
Files
C:\Program Files\7-Zip\7-zip.dll
| MD5 | 75550d4e7219303c63e565c92b5bcab4 |
| SHA1 | cab9daccb11d3a1f5b28354da2ed09a6317fd7ae |
| SHA256 | 5a1d2716898e209b8beab310f1d62d9e7a5951549dcd24b8527f844e2647d4db |
| SHA512 | 0b2bf0a56c4fd4393dfebe1706e59e8d8393c1b1767de5983b3dda13d9e14644c35c3cd89d6c958a6a07b7da6eaa56670378a416d8a50bcd10217237e7fe7175 |
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL
| MD5 | 91f37c1fd4b0b79fa0689f8486d0526d |
| SHA1 | 236ac91a53d0235d3bb5efde6bf0d3a6f05819de |
| SHA256 | 9bd4160f1abf2f9cdf81768773c2e529f430c4b4e6e30dca20075379ef7662c1 |
| SHA512 | 622a016ad8822b4f4fe03853316487218aa16ad31a51a542ba1f6a16078154a5535b777414b0e27b34c16cc7eb4c4173bde52b49eed9051347b423d6ff45ebf4 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
| MD5 | 2ca84ec33c5b6ff5090e91e1316a8fd9 |
| SHA1 | 76a31f0d2c24777181ceac2ef16ea02591126089 |
| SHA256 | 756509fca9b3a5271f159ae3745b983d7bc98ae07059aa1ba855f6c05cf07f85 |
| SHA512 | a814ae785d19920e1a4e11f16686329b59eb1790b9d08ac334df68a2f8db74540af748e6650abc7ab7eb90ccf079e1da96ef99cbc5514ee5b403dd3fac955374 |