> Analysis · 1bfebf79c24d_

~/packetpursuit $ cat /intel/analyses/1bfebf79c24d.../report.md

typeanalysisfamilyacrstealerconfidencehighcreated2026-05-29updated2026-05-29
SHA-256: 1bfebf79c24d0813eb39fec74637d52b008188812631a4f666a59fae7c0cef2c

1bfebf79c24d0813eb39fec74637d52b008188812631a4f666a59fae7c0cef2c

Filename: hnmh.exe ^[triage.json]

1. Build / RE

Toolchain

  • Compiler: Go 1.26.2 (GOARCH=386, GOOS=windows, CGO_ENABLED=0, -trimpath=true) ^[ghidra:metadata] ^[strings.txt:8]
  • Module path: randomized to rDRsLkGEEednpRk ^[strings.txt:1675]
  • Main-package function: main.cftlaaqwasdjjow ^[strings.txt:5655]
  • Build ID: rFJq7ji7BsvqbyBUr0bk/Z-IZGL7k8zHU6J6osPgK/qKUkUtFzjeFBIPe2xXSe/IHisOcg_uQ64AyndW0lI ^[strings.txt:8]

Packing / Obfuscation

  • No external packer. Standard Go static binary; .text entropy ~6.2 (consistent with compiled Go, not packed). ^[file.txt]
  • Anti-analysis: epoch timestamp (TimeDateStamp: 0x0) ^[pefile.txt] ^[rabin2-info.txt]; randomized module path and function names obfuscate intent without altering control flow.

Signing

  • Authenticode-signed PE. IMAGE_DIRECTORY_ENTRY_SECURITY at RVA 0x28FE00, size 0x880. ^[pefile.txt]
  • Raw certificate dump at offset 0x28FE08 shows CN=me.muz.li, issuer R13. ^[binwalk.txt] ^[terminal:raw-cert-parse]
  • Same certificate chain as siblings 16a4344d and d5655568. ^[entities/acrstealer.md]

Resources

  • .rsrc section contains PNG icon resources up to 256×256, used for social-engineering masquerade. ^[binwalk.txt]

Imports

  • Minimal IAT: only kernel32.dll (43 imports), all runtime API resolution via syscall.LoadLibrary + syscall.GetProcAddress for ws2_32.dll, dnsapi.dll, crypt32.dll, advapi32.dll, etc. ^[rabin2-info.txt] ^[strings.txt:1601]
  • Go standard library linkage visible in strings: net/http, crypto/tls, crypto/x509, crypto/rsa, archive/zip. ^[strings.txt:1601]

2. Deploy / ATT&CK

Note: Dynamic analysis was skipped — no CAPE Windows guest available. ^[dynamic-analysis.md] All behavioural claims are static inferences or inherited from the family cluster.

Execution

  • T1059.003 (Windows Command Shell) — not observed in this sample; Go runtime spawns standard goroutine scheduler, no batch scripts visible.
  • T1204.002 (Malicious File — User Execution) — delivered as hnmh.exe, a GUI-subsystem PE with rich icons to encourage double-click execution. ^[triage.json] ^[binwalk.txt]

Persistence

  • None observed statically. No registry keys, Run keys, or scheduled-task strings present.

Defense Evasion

  • T1027.002 (Obfuscated Files or Information: Software Packing) — low-confidence; Go's natural static compilation raises entropy but is not deliberate packing.
  • T1036.005 (Masquerading: Match Legitimate Name or Location) — executable filename hnmh.exe is nondescript; rich icon set masquerades as a legitimate application. ^[binwalk.txt]
  • T1553.002 (Subvert Trust Controls: Code Signing) — Authenticode-signed with cert CN me.muz.li / issuer R13. ^[pefile.txt] ^[binwalk.txt]

Collection

  • Inferred from family context and standard Go libraries (crypto/x509, archive/zip, net/http). Targets likely include browser credential stores, cryptocurrency wallets, and system files, consistent with the acrstealer family. ^[entities/acrstealer.md]
  • T1005 (Data from Local System) — implied by archive/zip linkage (staging files for exfil).
  • T1555 (Credentials from Password Stores) — family-level capability; no static confirmation in this build.

Command and Control

  • T1071.001 (Application Layer Protocol: Web Protocols) — net/http + crypto/tls linkage implies HTTPS C2. ^[strings.txt:1601]
  • T1573.002 (Encrypted Channel: Asymmetric Cryptography) — crypto/rsa, crypto/tls, crypto/x509 present; may use pinned or custom certificate validation. ^[strings.txt:1601]
  • OpenCTI labels for this sample include hertzfigblob-icu, indicating a new C2 domain for this build (siblings used laserlogdnsop.icu and IP 5.252.155.72). ^[triage.json]

Exfiltration

  • T1041 (Exfiltration Over C2 Channel) — inferred from net/http + crypto/tls + family behaviour. POST-based data upload to hardcoded endpoints. ^[entities/acrstealer.md]

IOCs

Indicator Type Note
1bfebf79c24d0813eb39fec74637d52b008188812631a4f666a59fae7c0cef2c SHA-256 Sample hash
hnmh.exe Filename Original delivery name ^[triage.json]
rDRsLkGEEednpRk Go module path Randomized per-build ^[strings.txt:1675]
me.muz.li Cert CN Authenticode signer ^[terminal:raw-cert-parse]
R13 Cert issuer Issuer CN ^[terminal:raw-cert-parse]
hertzfigblob.icu Domain C2 domain (OpenCTI label) ^[triage.json]
5.252.155.72 IP Inherited from sibling C2 infra ^[entities/acrstealer.md]

Notable Functions

  • main.cftlaaqwasdjjow — randomized entry-point function in the main package, consistent with the golang-stealer-build-pattern. ^[strings.txt:5655]

Provenance

  • file.txt, pefile.txt, rabin2-info.txt, strings.txt, binwalk.txt, triage.json, dynamic-analysis.md, exiftool.json
  • Ghidra metadata (Go buildinfo extraction)
  • Radare2 iI / ii
  • Raw byte inspection via Python / r2