File name:	2025-06-21_9274e9850ebab751374385a389813d7e_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
Full analysis:	https://app.any.run/tasks/ddf8e231-e3e0-4ee2-9cf6-38651fdc5783
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 23:28:29
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	ransomware gofing fileinfector golang stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 13 sections
MD5:	9274E9850EBAB751374385A389813D7E
SHA1:	C2EEC8ADC29F40363F27873584312FC358D5AEBF
SHA256:	B0ECF2DC38A19C4743EC99CCB46453D1D7F8EA274CA4636383087CB7A3435DFE
SSDEEP:	98304:/i6phhlaOhMkaIGzDJseMoC+xudYv3FE/ao3PYIuPZHaTH7inCnV8:w0JO

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	3
CodeSize:	1319424
InitializedDataSize:	226816
UninitializedDataSize:	-
EntryPoint:	0x63740
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows command line

PID	Process	Filename		Type
3884	2025-06-21_9274e9850ebab751374385a389813d7e_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe	C:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\AcroRdrDCx64Upd2300820470_MUI.msp		—
		MD5:—	SHA256:—
3884	2025-06-21_9274e9850ebab751374385a389813d7e_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini		executable
		MD5:0FD590BAC51736910957541586C6FDD4	SHA256:7F857FDCFA94DC22B4FD662DE0FE2886E7DA8E143D993D06DEDF2E2B1A4F1AFA
3884	2025-06-21_9274e9850ebab751374385a389813d7e_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\11e41899-2897-4b03-864c-aa991f90f535		executable
		MD5:290DC785F9D7C0C24D436CE758017CCA	SHA256:064E105E42ADA9074C59608AAA2A72195B3EADA4D7A9C24656BDC9875398831D
3884	2025-06-21_9274e9850ebab751374385a389813d7e_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\16ab3579-ceca-43a8-9d5a-b14749faa335		executable
		MD5:0243DBBA2576DF7C2E5E6C0E3EB63B40	SHA256:7CD4F637A7B19C6572AD008076AD11A10376F995B979DCD68A818D86382C6272
3884	2025-06-21_9274e9850ebab751374385a389813d7e_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe	C:\ProgramData\Adobe\ARM\S\388\AdobeARM.msi		executable
		MD5:278512959580EC2D14F6663B15A1F3BF	SHA256:6A38865811966615F4B33C8587A76452EB926567B187B61859EA9972EE2D818E
3884	2025-06-21_9274e9850ebab751374385a389813d7e_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_MicrosoftEdgeUpd_344a8180346ca76892ce216b982cf822c61fbb7_00000000_71683ae8-b291-43e9-ae7c-85522da87a4d\Report.wer		executable
		MD5:A5B1A192ECD2762FE89863A95534D7BB	SHA256:20E3926051291A634DFA0E7A8754F1E2CAE8A1349551020CC65683B6547EAF6B
3884	2025-06-21_9274e9850ebab751374385a389813d7e_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe	C:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exe		executable
		MD5:F526803F8A84CB17E4815E8019E348D6	SHA256:5E226C206FDE4C74CA4C03DECC37894CDD2F5E1C53FCA154DD48EDB5B1B675BE
3884	2025-06-21_9274e9850ebab751374385a389813d7e_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe	C:\ProgramData\Microsoft\User Account Pictures\admin.dat		executable
		MD5:83383A3C53D78C8D2B3F0638E5D81732	SHA256:754B1F49AD053FE736B7748DC0F8415FE6CD5E348A2F85B22C9E28C2B7A36664
3884	2025-06-21_9274e9850ebab751374385a389813d7e_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\0def51e6-0c6e-4245-b5c0-45657704a6a2		executable
		MD5:C681CBEBC9CB90F8C063BD4AC69C9DD6	SHA256:8FBEF44FB4305E98FFF3E91A830FE13E909ED6F882EAB40F66EE5A24DA6A881A
3884	2025-06-21_9274e9850ebab751374385a389813d7e_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\0705cb32-67a0-4f07-a729-97d547d79346		executable
		MD5:052A940D23AED9DE3FD8377F0B0A5326	SHA256:31EDE7D01ABD925C555DB6B6124214AC08C61A2564B9F5A8BD390242CADDD7F3

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4512	RUXIMICS.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4512	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.159.131:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	200	40.126.31.69:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	POST	200	20.190.159.71:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	200	40.126.31.130:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
—	—	POST	200	20.190.159.0:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4512	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4512	RUXIMICS.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4512	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208 4.231.128.59	whitelisted
google.com	142.250.186.174	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.248	whitelisted
login.live.com	20.190.159.131 40.126.31.0 20.190.159.129 40.126.31.2 40.126.31.130 20.190.159.0 40.126.31.69 20.190.159.71	whitelisted
nexusrules.officeapps.live.com	52.111.236.23	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

2025-06-21_9274e9850ebab751374385a389813d7e_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch

9274E9850EBAB751374385A389813D7E

C2EEC8ADC29F40363F27873584312FC358D5AEBF

B0ECF2DC38A19C4743EC99CCB46453D1D7F8EA274CA4636383087CB7A3435DFE

98304:/i6phhlaOhMkaIGzDJseMoC+xudYv3FE/ao3PYIuPZHaTH7inCnV8:w0JO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

RANSOMWARE has been detected

GOFING has been detected (YARA)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Modifies files in the Chrome extension folder

SUSPICIOUS

Write to the desktop.ini file (may be used to cloak folders)

Executable content was dropped or overwritten

Suspicious files were dropped or overwritten

INFO

Checks supported languages

Application based on Golang

Detects GO elliptic curve encryption (YARA)

Creates files in the program directory

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings