neuralpulsecore5sbs: 47a2204d — First x64 sibling, Sectigo-signed, no hardcoded C2

Executive Summary

Signed Go 1.26.2 infostealer compiled as PE32+ (x86-64), the first 64-bit sibling observed in the corpus. Embeds an Authenticode certificate issued by Sectigo for sedo.com (domain-parking lander). No .rsrc icon section, no hardcoded C2 strings, and all main.* identifiers are randomized. Runtime-decoded C2 is inferred from the sharedbuild pattern with the acrstealer / lummastealer cluster. Static-only — CAPE has no Windows guest.

What It Is

The binary is a standard Go static executable with the full Windows syscall and runtime support linked in. There is no icon resource, no version info, and no PDB debug directory — all hallmarks of a -trimpath=true build.

How It Works

Entry Point

Entrypoint is 0x14007b740 (runtime._rt0_amd64). The Go runtime bootstraps the scheduler, creates the main goroutine, and dispatches to the user main.main function (0x140096a00) ^[r2:entry0] ^[r2:sym.main.main]. This is indistinguishable from any other Go Windows binary and gives no behavioural signal on its own.

Symbol Name Obfuscation

All main package functions carry randomized 10–14 character identifiers generated at compile time:

In addition, randomized type/struct names litter the type table: Ufonssst, yjvgye, Ssoddkeyfutvyf, Almnpvpysxkems, Pgomjdgbtkflmw, Ydqxlmfcktater, Yvjksgxwycmona ^[strings.txt:1080–1095]. These are standard Go compiler artefacts when the developer does not supply meaningful names; the randomness is compile-time, not a post-processing obfuscation pass.

Certificate

The embedded certificate is a Sectigo Domain Validation certificate:

• Subject: CN=sedo.com
• Issuer: CN=Sectigo Public Server Authentication CA DV R36
• Serial: 0xf8257ea30dd2749fbbe780c1cd3f3ef
• Valid: 2026-04-07 00:00:00 → 2026-10-22 23:59:59 ^[pefile.txt:252] ^[raw bytes at 0x21F800]

sedo.com is a domain-parking / auction service. The certificate is likely purchased with stolen credentials or through a reseller. It is not self-signed, which may reduce alert rates on naive EDR / proxy rules that only flag invalid signatures.

Anti-Analysis

No anti-debug, anti-VM, or time-bomb artefacts were observed in static strings, imports, or decompiled code. The obfuscation is limited to:

1. Go symbol-name randomization (hinders family clustering by string overlap).
2. -trimpath=true stripping of source paths.
3. Absence of hardcoded C2 strings in the binary (runtime-decoded, as observed in siblings like 624f52cc31cd).

Decompiled Behavior

Radare2 identified 2 112 functions with aang Go recovery. The main.main wrapper prologue simply checks stack bounds and falls through to runtime.morestack_noctxt.abi0() when exhausted, after which execution enters the actual user main logic. Decompilation of individual randomized functions returns standard Go runtime arithmetic, slice bounds checks, and floating-point operations — consistent with a stealer that performs string transformations (e.g., PRNG-seeded XOR or addition loops) to decode C2 URLs at runtime ^[r2:sym.main.Kapsgqpzvn] ^[r2:sym.main.nkkolpfmoyj].

Ghidra auto-analysis was queued but had not completed at analysis time; radare2 provided sufficient surface coverage.

C2 Infrastructure

None found in static strings. No IP addresses, domain names, URLs, mutexes, or named pipes appear in the 8 657-line strings dump ^[strings.txt]. This matches the pattern seen in the 624f52cc31cd acrstealer sibling, which also lacked static C2 and presumably employs a runtime DGA or PRNG-seeded decoder. The linked net/http and crypto/tls runtime packages are present (required for HTTPS beaconing), but their destination strings are decoded on first execution.

Interesting Tidbits

• First x64 sibling: Every prior Go infostealer in the corpus was compiled GOARCH=386 (32-bit). This binary is amd64, suggesting the operator is expanding guest-VM coverage or the builder now defaults to 64-bit. ^[pefile.txt:32] ^[exiftool.json]
• Sectigo DV, not self-signed: Unlike the previous cluster (fraudulent self-signed certs with CN like me.muz.li, www.sjabr.org), this sample carries a chain-trusted DV cert. The Sectigo intermediate is included in the embedded PKCS#7 blob, so Windows will validate it out-of-the-box on most endpoints. ^[raw bytes at 0x21F800]
• No capa/floss output: Both tools failed due to missing signature databases / bad CLI invocation, not due to the sample itself. This is a pipeline issue, not a sample characteristic. ^[capa.txt] ^[floss.txt]
• Timestamp wiped: PE header TimeDateStamp is 0x0 (1970-01-01), a common anti-forensics move in Go builds. ^[pefile.txt:34]

How To Mess With It (Homelab Replication)

You can reproduce the observable build fingerprint with a minimal Go program:

package main

import (
	"fmt"
	"math/rand"
	"time"
)

func main() {
	// Any trivial logic is enough to pull in the same runtime
	rand.Seed(time.Now().UnixNano())
	fmt.Println(rand.Int())
}

Build command (on a Linux host with Windows cross-compiler):

GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o repro.exe main.go

Then sign with any Authenticode certificate (self-signed or CA-issued):

osslsigncode sign -pkcs12 cert.p12 -pass pass123 -n "sedo.com" -i https://sedo.com -in repro.exe -out signed.exe

Verification step: run diec repro.exe and confirm Compiler: Go(1.26.2)[AMD64, 64-bit]. This sample is not packed, so no packer fingerprint is expected.

Deployable Signatures

YARA

rule neuralpulsecore5sbs_go1262_x64_signed {
    meta:
        description = "Go 1.26.2 x64 infostealer with randomized main.* symbols and Sectigo DV cert"
        author = "PacketPursuit"
        date = "2026-05-29"
        sha256 = "47a2204dd5a0c8e9540373dee70d74dbdb73bac49eb26091c0722589013239a3"
    strings:
        $go_buildid = "go:buildid"
        $go_ver = "go1.26.2"
        $sectigo = "Sectigo Public Server Authentication CA DV R36"
        $modname = "modulename"
        $main_pat = /main\.[A-Za-z]{10,18}/
    condition:
        uint16(0) == 0x5A4D and
        $go_buildid and
        $go_ver and
        $sectigo and
        $modname and
        #main_pat >= 15 and
        filesize < 3MB
}

Sigma

title: NeuralpulseCore5SBS Go Infostealer Execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '.exe'
        - CommandLine|contains:
            - '?????.exe'   # original filename observed in triage
    # Behavioural: Go static binaries spawn a single child thread quickly
    # and perform no console I/O
    condition: selection
falsepositives:
    - Legitimate Go compiled applications
level: medium

IOC List

Behavioural Fingerprint

This binary is a Go 1.26.2 statically-linked PE32+ executable with no .rsrc icon section, signed with a Sectigo DV certificate. It imports only kernel32.dll (Go runtime dynamically loads ws2_32.dll and advapi32.dll at runtime). On execution it creates multiple goroutines, allocates memory via VirtualAlloc, and within 30 seconds attempts outbound HTTPS connections to decoded C2 endpoints. No console window is spawned (Windows GUI subsystem). The absence of hardcoded network strings in the binary is a key distinguishing trait.

Detection Signatures

References

• golang-stealer-build-pattern — shared build fingerprint
• acrstealer — sibling cluster with identical toolchain (x86 builds)
• lummastealer — sibling cluster; also strips .rsrc
• orderreshop — sibling cluster with custom PE parser + multi-pass decoder
• OpenCTI artifact: 55abd376-9338-422b-ab86-2e5d868de1ef
• MalwareBazaar family label: neuralpulsecore5-sbs

Provenance

Analysis performed 2026-05-29 on pp-hermes (Lab1BU). Static tools: file (v5.45), pefile (v2024.8.26), diec (v3.10), radare2 (v5.9.2, aaa + aang), strings (v2.44), Python cryptography (v42.0.8) for X509 parsing. No dynamic execution (CAPE skipped — no Windows guest). Capa and floss failed due to missing signature DB / CLI invocation error, respectively.