File name:

2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch

Full analysis: https://app.any.run/tasks/6108c966-71b4-4987-a670-30f5576b9ae3
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 23:25:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
gofing
fileinfector
golang
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 13 sections
MD5:

302BBABB204541DF8FD969E31B2E7872

SHA1:

C513F257E3211120C87E5B4FDADA07741DFAA19C

SHA256:

C50680B309FAC69940B77FB2C3D217B3068855105681FD1D3340A2176DFFA045

SSDEEP:

98304:/i6phhlaOhMkaIGzDJseMoC+xudYv3FE/ao3PYIuPZHaTH7inCnVXu:w0Jxu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RANSOMWARE has been detected

      • 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 5168)

    • GOFING has been detected (YARA)

      • 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 5168)

    • Steals credentials from Web Browsers

      • 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 5168)

    • Actions looks like stealing of personal data

      • 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 5168)

    • Modifies files in the Chrome extension folder

      • 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 5168)

  • SUSPICIOUS

    • Write to the desktop.ini file (may be used to cloak folders)

      • 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 5168)

    • Executable content was dropped or overwritten

      • 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 5168)

    • Suspicious files were dropped or overwritten

      • 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 5168)

  • INFO

    • Checks supported languages

      • 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 5168)

    • Application based on Golang

      • 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 5168)

    • Creates files in the program directory

      • 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 5168)

    • Checks proxy server information

      • slui.exe (PID: 6268)

    • Reads the software policy settings

      • slui.exe (PID: 6268)

    • Creates files or folders in the user directory

      • 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 5168)

    • Detects GO elliptic curve encryption (YARA)

      • 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 5168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware, No debug
PEType: PE32+
LinkerVersion: 3
CodeSize: 1319424
InitializedDataSize: 226816
UninitializedDataSize: -
EntryPoint: 0x63740
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT 2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5168"C:\Users\admin\Desktop\2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe" C:\Users\admin\Desktop\2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6212\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6268C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 668
Read events
3 668
Write events
0
Delete events
0

Modification events

No data
Executable files
447
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
51682025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\AcroRdrDCx64Upd2300820470_MUI.msp
MD5:
SHA256:
51682025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARM.msiexecutable
MD5:5A78DB991FA6924097BB22B5F813DEAF
SHA256:5463255BF0F4E0A880894798F3916516ED37D25292598F73EF3AE8EC91E60864
51682025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\User Account Pictures\admin.datexecutable
MD5:0763B11E03D03D8654BBAD432CE9CBDC
SHA256:89E6DE7387920A72674D27E738D54106052577AB5DF612D15EE9603F42A22431
51682025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\AcrobatDCx64Manifest3.msiexecutable
MD5:A0CA03BD8C8692521279D70F9A3A1CE7
SHA256:3A25306B7A7980F51FFC5F0001377BBDD1D4158D09254E14863463EE1B6B99E5
51682025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\0def51e6-0c6e-4245-b5c0-45657704a6a2executable
MD5:8AE65D0A242A267B832A310A613600AF
SHA256:CB10A39CC8BA263F44ED4BF7E5FF4775B379CF0B16B3012380D19CF0E3C8D9D6
51682025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\0705cb32-67a0-4f07-a729-97d547d79346executable
MD5:B946426D67D2228B1F0F09603457B81F
SHA256:4596F0CA1AEAA29D14506CCC371DC83608B861445097E0FE5804E0B2FA69D4DF
51682025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\07cd09fc-c5b6-479f-a762-5b2b2772c373executable
MD5:82A1B749CC39F10AED4F1BBA5E687DA5
SHA256:42FA735045FA3F25B34E065DAD1DCC746B4494BE179F9CD4151554EDA002E4A7
51682025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\3c776c6e-a5e3-4ebf-957e-46a84bafb185executable
MD5:D8CC4FDD28986B107F2279FE5F69C601
SHA256:4199341E54D8472DCBD8CBD3CBABE1B0DEB5BA39B220E241C15D009363E21D94
51682025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\393134fa-f471-48fb-96b9-1870c6699f1bexecutable
MD5:D9E19264EDB54E8C52C76C2A941F5C12
SHA256:DF6BF438079C2EAF42E1F83E1BD945102CC5914083FD971707CC5102AD0179A7
51682025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\3fc076c0-bde9-4cf0-b7b8-d18c1f3f80bdexecutable
MD5:2567441C175E6E905DC8EB2D2C04AF1B
SHA256:0844A068BDD96067769E48A85C61F0A7C35567D85EEEDE2D0195542B9E4F7FBE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
47
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.32.138:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.160.20:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
40.126.31.128:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.159.130:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
6304
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2320
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2320
RUXIMICS.exe
184.24.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2320
RUXIMICS.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 184.24.77.42
  • 184.24.77.12
  • 184.24.77.35
  • 184.24.77.37
  • 184.24.77.6
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.73
  • 40.126.31.3
  • 40.126.31.129
  • 20.190.159.75
  • 20.190.159.64
  • 40.126.31.1
  • 20.190.159.131
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_302bbabb204541df8fd969e31b2e7872_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch