589af0f87f4087f34750995ce679024df4e04acd0d096fe49e7f1223cb5905aeunclassified-go-pe64: 589af0f8 — Signed Go GUI binary with MD5 hash function, DV cert on maybe.us
Executive Summary
A 2.4 MB PE32+ (x64) compiled in Go with a Windows GUI subsystem, signed with a GoDaddy DV TLS certificate issued to maybe.us. The binary is statically linked, contains AES and SHA-256 constants, and exposes randomized main.* function names consistent with the golang-stealer-build-pattern. No C2 infrastructure, browser credential targets, or wallet strings were recovered. One main.* function (main.jrcmvk) calls crypto/md5.Sum on a 256-byte buffer. Capa execution failed; no dynamic analysis is available. Classification: low-confidence unclassified Go PE64 placeholder.
What It Is
- Filename:
update.exe - Size: 2,439,352 bytes
- Type: PE32+ executable (GUI) x86-64, 8 sections ^[file.txt]
- Linker: Go (PE optional header MajorLinkerVersion 3.0) ^[exiftool.json] ^[rabin2-info.txt]
- Subsystem: Windows GUI ^[pefile.txt]
- Compilation time: Unix epoch (Thu Jan 1 00:00:00 1970) — stripped/reproducible build ^[pefile.txt]
- Entropy: .text 6.30, .rdata 6.76, .data 4.36, .pdata 5.18
Build / RE
Compiler & Toolchain
Go compiler, version unknown (linker reports 3.0). The binary is statically linked with no CGO (no C runtime strings beyond standard library). No absolute module paths are present in the string table, consistent with a go build -trimpath invocation. ^[strings.txt]
Signing
Authenticode signature present at offset 0x253008 (overlay). A DER-encoded X.509 certificate is embedded for CN = maybe.us, issued by Go Daddy Secure Certificate Authority - G2, valid Jun 4 2025 → Jun 4 2026, 4096-bit RSA, SHA-256. Serial: 86:ee:39:e0:b3:fd:88:5f. ^[binwalk.txt]
The domain maybe.us currently resolves to AWS Route 53 parking IPs (15.197.204.56, 3.33.243.145) ^[terminal: dig output]. The combination of a throwaway/parked domain and a one-year DV certificate is a red flag often seen on crimeware that buys cheap certs for code-signing credibility.
Packing / Obfuscation
No packer detected. UPX absent; section names standard (.text, .rdata, .data, .pdata, .xdata, .idata, .reloc, .symtab). No anti-debug or VM detection strings observed.
Notable Functions
The main package contains 23 randomized function names, a hallmark of the golang-stealer-build-pattern: ^[strings.txt:8068-8089]
main.init, main.main, main.jrcmvk, main.dlrbftglnkbllox, main.kgegunlud,
main.lmahgngnmcjwrwl, main.qucikxypmnv, main.uvtpoxpb, main.vjdzrl,
main.ovicntxpa, main.gdlxvysrqiaxsdv, main.cnkwikvvnquqp,
main.darjmlylvwesnw, main.bzkpxavzbqzxp, main.jcaxvbwlv,
main.tborvlzulyeaukb, main.cilvtnicyaa, main.hzjrzrvpayqvu,
main.bidkoxwwc, main.hutlztp, main.Begadsf, main.jfuykad
Decompilation of main.jrcmvk (0x14008c700) shows a 256-byte slice allocation, a byte-assignment loop, and a call to crypto/md5.Sum. ^[r2:sym.main.jrcmvk]
Decompilation of main.main (0x14008c6c0) is a thin runtime.morestack_noctxt wrapper. ^[r2:sym.main.main]
Embedded Resources
Binwalk identifies AES S-Box and AES Inverse S-Box at 0x2240C0 / 0x2241C0, and SHA-256 hash constants at three locations (0x1A1C20, 0x1A1C30, 0x223FC0). ^[binwalk.txt] These are standard Go crypto/aes and crypto/sha256 lookup tables; they do not indicate custom encryption logic.
Deploy / ATT&CK
No dynamic analysis is available (CAPE skipped — no Windows guest). Static inference only.
TTPs
- T1587.002 — Obtain Digital Certificates: The binary is signed with a valid GoDaddy DV certificate for
maybe.us. Low-confidence inference: purchased or fraudulently obtained cert to bypass SmartScreen / EDR reputation checks. - T1027.002 — Obfuscated Files or Information: Go
-trimpath+ randomizedmain.*function names strip developer identity and hinder analyst navigation. ^[strings.txt] - T1059.003 — Windows Command Shell / Go execution: The binary drops to disk as
update.exeand runs as a native PE. No visible command-line staging.
C2 Infrastructure
None recovered. No hardcoded IPs, domains, URLs, mutexes, or named pipes. If the binary exfiltrates or connects outbound, the target is either constructed at runtime (e.g., from a remote fetch, registry, or environment variable) or the strings are encoded in a way not recovered by standard extraction.
Decompiled Behavior
Entry-point analysis via radare2 (aaa) recovered 2,143 functions. The main.main call graph is shallow: it allocates stack space, checks for stack growth, and returns. The bulk of application behavior is hidden behind randomized function names.
main.jrcmvk is the only main-package function with a clearly identifiable cryptographic operation: it fills a 256-byte slice and hashes it with MD5. This could be:
- A loader/decoder producing a key or checksum for an embedded payload.
- A fingerprinting routine generating a system identifier.
- Part of a larger string-decoding routine where the dictionary is built at runtime.
No further xref into main.jrcmvk was recovered by radare2; the calling relationship may be obscured by Go's runtime scheduler.
C2 Infrastructure
| Type | Value | Provenance |
|---|---|---|
| Certificate CN | maybe.us | ^[binwalk.txt] |
| Certificate issuer | Go Daddy Secure Certificate Authority - G2 | ^[binwalk.txt] |
| Certificate serial | 86:ee:39:e0:b3:fd:88:5f | ^[binwalk.txt] |
| Domain A record | 15.197.204.56, 3.33.243.145 | ^[terminal:dig] |
No other network indicators.
Interesting Tidbits
- Domain
maybe.usis a throwaway/parked domain on Route 53. GoDaddy G2 DV certs are cheap (~$50/year). The opsec model is "buy credibility for signing, then park the domain." - The absence of any browser-credential paths (no
Login Data,Cookies,Web Data, wallet regexes, or Discord/Telegram API URLs) distinguishes this sample from the ACR/Lumma/OrderRe Go infostealer cluster, despite sharing the randomized-function-name build artefact. It may be a different tool or an earlier/later build variant with a stripped payload. - AES+SHA256 constants in
.rdataare indistinguishable from benign Go software; they only matter when paired with a calling function that uses them for non-standard crypto (e.g., custom C2 protocol). No such caller was identified.
How To Mess With It (Homelab Replication)
- Reproduce a comparable binary:
GOOS=windows GOARCH=amd64 go build -trimpath -ldflags="-H windowsgui" -o repro.exe main.go - Add randomized function names by compiling with a randomized
package mainsource file (or just renaming functions before build). - Sign repro.exe with a self-signed or trial DV cert using
signtool.exeto observe SmartScreen behavior. - No capa comparison possible — signatures are missing on this host.
Deployable Signatures
YARA
rule unclassified_go_pe64_589af0f8 {
meta:
description = "Go PE64 with randomized main.* names + GoDaddy DV cert, low-confidence"
sha256 = "589af0f87f4087f34750995ce679024df4e04acd0d096fe49e7f1223cb5905ae"
strings:
$go_build = "Go build ID:" ascii
$main_rnd1 = /main\.[a-z]{7,20}/ ascii
$goddaddy = "Go Daddy Secure Certificate Authority - G2" ascii
condition:
uint16(0) == 0x5a4d and
filesize > 2MB and filesize < 3MB and
#main_rnd1 > 10 and
$go_build and
$goddaddy
}
IOCs
| Indicator | Type |
|---|---|
| maybe.us | domain |
| 15.197.204.56 | IP |
| 3.33.243.145 | IP |
| 86:ee:39:e0:b3:fd:88:5f | cert serial |
| update.exe | filename |
Behavioral Fingerprint
This binary is a Go x64 PE with a GUI subsystem, valid Authenticode signature from a throwaway DV domain, randomized main.* function names, standard Go crypto libraries (AES, SHA-256, MD5), and no obvious C2, credential-target, or wallet strings in static analysis. It may be a downloader, clipper, or signed stub whose payload is constructed at runtime.
Detection Signatures
No capa output available (execution failed due to missing signatures). No dynamic analysis available. ATT&CK mapping based solely on static artefacts:
- T1587.002 (digital certificate)
- T1027.002 (software packing/obfuscation — Go trimpath + randomized names)
- T1059.003 (native code execution)
References
- SHA-256:
589af0f87f4087f34750995ce679024df4e04acd0d096fe49e7f1223cb5905ae - Artifact ID:
71f0718e-3786-417c-8f32-336f9e39a59c - MalwareBazaar source via
mb-fetch.py - Related entity: unclassified-go-pe64
- Related concept: golang-stealer-build-pattern
Provenance
file.txt— file(1) outputpefile.txt— pefile parser (section headers, imports, directories)rabin2-info.txt— radare2rabin2 -Isummarybinwalk.txt— binwalk signature scanstrings.txt— strings(1) extractionexiftool.json— ExifTool PE metadatadynamic-analysis.md— CAPE status (skipped)capa.txt— capa error output- radare2 decompilation —
r2 -A+s sym.main.jrcmvk+pdc - Certificate parsed via
openssl x509 -inform DERon overlay at offset 2437277 - DNS lookup via
dig +short maybe.us