typeanalysisfamilymenomoushopconfidencemediumcreated2026-05-30updated2026-05-30pecompilersigningobfuscationc2malware-familyinfostealermitre-attck

SHA-256: 3aca18df0426522e0c301a55dae3d892b2009719854207b4bae45f4c94403c9f

menomoushop: 3aca18df — Go 1.25.4 PE64 infostealer, Authenticode signed CN=maybe.us, randomized function names

Executive Summary

Signed Go 1.25.4 PE64 (1.9 MB) with twenty-four main.* functions carrying randomized 8–16 character names. Embedded AES and SHA256 constants in .rdata, Authenticode leaf cert CN maybe.us issued by Go Daddy. No static C2 IOCs visible; net/http, crypto/tls, and syscall networking packages present. OpenCTI tags associate this sample with menomoushop, remusstealer, and sunwukong labels. CAPE detonation skipped — no Windows guest available.^[dynamic-analysis.md]

What It Is

Field	Value
SHA-256	`3aca18df0426522e0c301a55dae3d892b2009719854207b4bae45f4c94403c9f`
Size	1,922,232 bytes (1.9 MB)
File type	PE32+ executable (GUI) x86-64, 8 sections^[file.txt]
Compiler	Go 1.25.4 — build ID `8CwLveuGUuDP-ElEy1Gz/Xd_XIQD9LgBhcAds0SQv/jsxjmkuU6qFg8GiIKDkl/CwEL7yjsjDff1B_0IvdZ`^[strings.txt:9]
Entry point	`0x140073000` (Go runtime shim)
Sections	`.text`, `.rdata`, `.data`, `.pdata`, `.xdata`, `.idata`, `.reloc`, `.symtab`^[pefile.txt]
.symtab	Present (unstripped symbol table); function names and Go type information intact.^[pefile.txt]
Certificate	Authenticode PKCS#7 at offset `0x1D4C00`. Leaf CN `maybe.us`, Issuer `Go Daddy Secure Certificate Authority - G2`.^[binwalk.txt]
Filename	`sunwukongs.exe`

Build provenance. rabin2 identifies lang: go, signed: true, canary: true, nx: true, pic: true.^[rabin2-info.txt] Linker version 3.0, timestamp epoch zero (common for reproducible Go builds).^[exiftool.json]

Anti-analysis. None observed statically: no packer, no VM/debug checks in import table, no control-flow flattening. The only obfuscation is function-name randomization inside the main package — a known Go stealer developer hygiene pattern.^[r2:sym.main.main]

How It Works

main.main is a thin dispatcher calling five sibling main.* functions in sequence:^[r2:sym.main.main]

main.hsomwbzzbosgi
main.ayudsfebqnse
main.xybmhdflmsnl
main.pziaetfdvgad
main.wzzlalpavgyk

Each callee is small (234–389 bytes) and passes control into larger workers; the largest is main.yybtnsuxeeswlv (1,485 bytes) which allocates buffers and branches through nested counters before calling main.gdbfedcoabf (1,284 bytes) and main.mkmukw (308 bytes).^[r2:sym.main.yybtnsuxeeswlv] This tiered structure suggests a modular builder that generates per-sample random names from a fixed capability set.

The .rdata section carries AES S-Box/Inverse S-Box and SHA256 round constants, confirming onboard crypto.^[binwalk.txt] crypto/tls, net/http, and crypto/aes package strings are present^[strings.txt], but no hardcoded domains, IPs, or URI paths appear in the static corpus. C2 infrastructure is therefore either:

runtime-decoded from an embedded config blob, or
passed as command-line arguments / dropped companion file.

Capability inference. The network surface (WSAStartup, ConnectEx, GetAddrInfoW, TLS/HTTP packages) plus crypto suite implies encrypted C2 beaconing and likely credential exfiltration. The remusstealer and sunwukong labels across the OpenCTI corpus reinforce infostealer classification, though without dynamic execution this remains inference.

Decompiled Behavior

Radare2 analysis recovered 2,155 functions including full Go runtime. The main package consists entirely of short functions with randomized names.^[r2:afl~main.] No reflective loading or process-hollowing primitives were found in import or symbol tables. The binary uses standard Go goroutine/threading (runtime.newosproc, runtime.mstart) and relies on the Windows syscall package for OS interfaces rather than direct ntdll PEB walking.

Notable decompiled patterns:

main.aygcuvuvsjosdlt (649 bytes): allocates a new slice, falls through a test rcx, rcx / jle guard multiple times, then copies data via runtime.memmove.^[r2:sym.main.aygcuvuvsjosdlt] This is consistent with string/array decoding in Go stealer internals.
main.qxhtljolqhoa (234 bytes): rep stosq loop over 300 qwords (0x12c), then calls math/rand.Intn(1000) in a loop — a delay or jitter primitive.^[r2:sym.main.qxhtljolqhoa]

C2 Infrastructure

Static IOCs: None. No hardcoded IP, domain, mutex, or named pipe string survives in the extracted corpus.

Runtime-resolved indicators (inferred):

Protocol: TLS-over-TCP (crypto/tls + net/http strings) — port and host unknown statically.
Beaconing style: likely periodic POST or WebSocket given the async primitives (WSAGetOverlappedResult, GetQueuedCompletionStatusEx).

Interesting Tidbits

Signed with a live-ish Go Daddy DV cert. The leaf cert is not self-signed and not a known stolen signer from our prior Go-stealer cluster (which used Sectigo DV CN sedo.com and CN me.muz.li). This suggests the actor has access to fresh DV issuance or stolen keys.
.symtab present. This is rare for production malware; the builder either omits -s -w linker flags or the author does not care about size/reversing friction. It gives us 2,155 recoverable function names and type information.
Zero epoch timestamp. Standard for reproducible Go builds; no compile-time attribution from PE timestamp.
Function-name randomization as sole obfuscation. Compare to the golang-stealer-build-pattern cluster (ACRStealer, OrderReShop, Lumma sibling) where randomized module paths and function names appear. Here, the module path is absent from go version -m output, but function names are randomized. The builder may be a fork or earlier variant.

How To Mess With It (Homelab Replication)

Toolchain: Go 1.25.4, GOOS=windows GOARCH=amd64, target Windows 10/11 x64.

Reproduce the build fingerprint:

go mod init example.com/stub
cat > main.go <<'EOF'
package main
import "crypto/aes"
func main() {
    aes.NewCipher(make([]byte, 32))
}
EOF
go build -ldflags="-H=windowsgui" -o stub.exe main.go

Verification: rabin2 -I stub.exe should show lang: go, signed: false, .symtab present, and capa (when functional) should hit encrypt data using AES. For this sample, the distinguishing marks are the Authenticode cert and the randomized main.* function name pattern.

Deployable Signatures

YARA

rule menomoushop_go1254_signed {
    meta:
        description = "Go 1.25.4 signed PE64 with randomized main.* function names — menomoushop / remusstealer / sunwukong family"
        author = "Titus"
        date = "2026-05-30"
        hash = "3aca18df0426522e0c301a55dae3d892b2009719854207b4bae45f4c94403c9f"
    strings:
        $go125 = "go1.25.4" ascii
        $symtab = ".symtab" ascii
        $main_dot = /main\.[a-z]{8,16}/ ascii
        $aes_sbox = { 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 }
        $maybe_cn = "maybe.us" ascii wide
    condition:
        uint16(0) == 0x5a4d and
        $go125 and
        $symtab and
        #main_dot >= 10 and
        ($aes_sbox or $maybe_cn)
}

Behavioral fingerprint statement

This binary is a Go 1.25.4 PE64 with an unstripped .symtab section, Authenticode signed by a Go Daddy DV certificate with leaf CN maybe.us. It contains 20+ main package functions with randomized 8–16 character names, imports only kernel32.dll, and carries embedded AES and SHA256 constants. No static C2 IOCs are present; network behaviour is inferred from embedded crypto/tls and net/http packages and Windows socket syscall wrappers.

IOC list

Type	Value
SHA-256	`3aca18df0426522e0c301a55dae3d892b2009719854207b4bae45f4c94403c9f`
Filename	`sunwukongs.exe`
Go build ID	`8CwLveuGUuDP-ElEy1Gz/Xd_XIQD9LgBhcAds0SQv/jsxjmkuU6qFg8GiIKDkl/CwEL7yjsjDff1B_0IvdZ`
Signing cert CN	`maybe.us`
Signing issuer	`Go Daddy Secure Certificate Authority - G2`
Compiler	Go 1.25.4

Detection Signatures

ATT&CK ID	Name	Evidence
T1055	Process Injection	Not observed statically (no `CreateRemoteThread`, `NtMapViewOfSection`, or `WriteProcessMemory` in import table). Would need dynamic confirmation.
T1071.001	Application Layer Protocol: Web Protocols	Inferred from `net/http`, `crypto/tls` strings.^[strings.txt]
T1573.001	Encrypted Channel: Symmetric Cryptography	AES S-Box/Inverse S-Box embedded in `.rdata`.^[binwalk.txt]
T1027.002	Obfuscated Files or Information: Software Packing	Absent — no packer detected.
T1497	Virtualization/Sandbox Evasion	Not observed statically.

References

OpenCTI artifact: 0a2b505a-6290-4166-99f5-ce2d3434bb11
MalwareBazaar / abuse.ch family tags: menomou-shop, remusstealer, sunwukong
Related wiki: menomoushop, golang-stealer-build-pattern

Provenance

file.txt — file(1) output
exiftool.json — ExifTool PE metadata
pefile.txt — pefile Python library section/import dump
rabin2-info.txt — radare2 binary header summary
binwalk.txt — binwalk embedded artifact scan
strings.txt — strings extraction (Go runtime + user package strings)
r2:sym.main.main, r2:sym.main.yybtnsuxeeswlv, r2:sym.main.aygcuvuvsjosdlt, r2:sym.main.qxhtljolqhoa — radare2 disassembly/decompilation
Tools: radare2 5.9.9, pefile 2023.2.7, binwalk 2.3.4

> Analysis · 3aca18df0426_