File name:

2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch

Full analysis: https://app.any.run/tasks/b7698c34-4c0b-40a8-a4c6-bf579098ece1
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 10:06:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
gofing
fileinfector
golang
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 13 sections
MD5:

B39B281FBAD4235AD1F99B30BAD38DA2

SHA1:

3EABD194AF658ACEED801BB2DCF60CB68F1552AC

SHA256:

2C867AFFB77BA39AA9EC6A67EBFBD802FDA48275FA96D162E7474F12BA28B70E

SSDEEP:

98304:/i6phhlaOhMkaIGzDJseMoC+xudYv3FE/ao3PYIuPZHaTH7inCnVPdL5n5LafzZ:w0JG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GOFING has been detected (YARA)

      • 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 3028)

    • RANSOMWARE has been detected

      • 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 3028)

    • Steals credentials from Web Browsers

      • 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 3028)

    • Actions looks like stealing of personal data

      • 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 3028)

    • Modifies files in the Chrome extension folder

      • 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 3028)

  • SUSPICIOUS

    • Write to the desktop.ini file (may be used to cloak folders)

      • 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 3028)

    • Executable content was dropped or overwritten

      • 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 3028)

    • Suspicious files were dropped or overwritten

      • 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 3028)

  • INFO

    • Detects GO elliptic curve encryption (YARA)

      • 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 3028)

    • Checks supported languages

      • 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 3028)

    • Application based on Golang

      • 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 3028)

    • Creates files in the program directory

      • 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 3028)

    • Checks proxy server information

      • slui.exe (PID: 6684)

    • Reads the software policy settings

      • slui.exe (PID: 6684)

    • Creates files or folders in the user directory

      • 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 3028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware, No debug
PEType: PE32+
LinkerVersion: 3
CodeSize: 1319424
InitializedDataSize: 226816
UninitializedDataSize: -
EntryPoint: 0x63740
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT 2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3028"C:\Users\admin\Desktop\2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe" C:\Users\admin\Desktop\2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6684C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 656
Read events
3 656
Write events
0
Delete events
0

Modification events

No data
Executable files
453
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
30282025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\AcroRdrDCx64Upd2300820470_MUI.msp
MD5:
SHA256:
30282025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\3c776c6e-a5e3-4ebf-957e-46a84bafb185executable
MD5:74C3F05033579CA54F6684335F745ACF
SHA256:6D2C65F7BF0FDECD62B468BACEB23FD02EF61BDB78C8888DCBCC7FDEBC787C68
30282025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:4BF9B34F64653029E39BA3BC9505E337
SHA256:714BB75931CA758A2ABA983C265A74CA91BC99573E6BF8F8D874A302C5D663A9
30282025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\MF\Pending.GRLexecutable
MD5:3F48B45DC940E00EDADD27BF95859DC6
SHA256:B1B845DBDDCA5ADEB3973D4E227598DBDDFE9E0D5C77E0AAAC12EEF6C8A090DE
30282025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_MicrosoftEdgeUpd_344a8180346ca76892ce216b982cf822c61fbb7_00000000_71683ae8-b291-43e9-ae7c-85522da87a4d\Report.werexecutable
MD5:3D54B52AFA48519C4BC67C0178AD8647
SHA256:9A2C0F709CA3A3A14739062C932FB938BC40860560ECAA7F27900044AEB1C683
30282025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.iniexecutable
MD5:57CFAD8A9FBEDDD73A4741CC85DE3FF8
SHA256:DB47E38869E092D3B52ABFE01B774DBC7E58819FE0907D7BF9A8535AD7FC2E49
30282025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARM.msiexecutable
MD5:9C7DF6232FFCD3D96ED88E2253DF7101
SHA256:53B8B3953E0C203268E83025BE7538A3CB61A6F02498E5BF1CBFDE0FC79C6040
30282025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\AcrobatDCx64Manifest3.msiexecutable
MD5:9132296C2161EE7936B8CBC06753BDF6
SHA256:F9459391376005C3C16A1A25F91F85AA7CDEB68AD818118983921EFFAE00D519
30282025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\3a68eba7-36ba-46e8-8580-c496e747ab3aexecutable
MD5:780D5C159AC56CCC2F953A095EEE7D63
SHA256:36AB7626C86148504C447CFFC7265DF09A5BD8175C0CECE6F4C61854816615D6
30282025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\3fc076c0-bde9-4cf0-b7b8-d18c1f3f80bdexecutable
MD5:1B14D503D5B54A910642FC5669BB5058
SHA256:C0598E337466511E67BC85488755F4D01B280DBF018485DD4819193BAE8EDD27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
45
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2664
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2664
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.32.76:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
40.126.32.76:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.160.65:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.160.64:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2664
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2664
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
  • 184.25.50.10
  • 184.25.50.8
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.71
  • 20.190.159.130
  • 20.190.159.64
  • 20.190.159.0
  • 20.190.159.75
  • 40.126.31.129
  • 20.190.159.4
  • 40.126.31.130
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_b39b281fbad4235ad1f99b30bad38da2_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch