typeanalysisfamilyacrstealerconfidencehighinfostealermalware-familygolangsigningpe32

SHA-256: 624f52cc31cd7ae5a311c9800b619386c9fd1a45af11b4e852391699ce36d3d8

acrstealer: 624f52cc — Seventh signed sibling, module yCJjClxMaPcdOeL, static C2 absent

Executive Summary

Signed Go 1.26.2 PE32 executable, seventh confirmed sibling in the acrstealer cluster. Shares the me.muz.li / R13 Authenticode certificate chain and Go build ID pattern with six prior siblings, but introduces a new randomized module path (yCJjClxMaPcdOeL) and notably contains no hardcoded C2 IP or domain in static strings — unlike siblings 6871848b, c577c6c8, 16a4344d, d5655568, 1bfebf79, f93d8d79. CAPE detonation was unavailable (no Windows guest); behavior must be inferred from static structure and family knowledge.

What It Is

Format: PE32 executable (GUI) Intel 80386, 7 sections, 2.56 MB ^[file.txt]
Linker: Go 1.26.2, GOARCH=386, GOOS=windows, CGO_ENABLED=0, -trimpath=true ^[strings.txt:1673] ^[strings.txt:1675]
Go build ID: YK-5mEjbS1w6cBJ47f5b/UCbaZ8h_8dz47nNQVBGX/tWecTUh9g0uq1LrKjv61/iGLFkKwyThCAEr7kuY2l ^[strings.txt:8]
Module path: yCJjClxMaPcdOeL (randomized) ^[strings.txt:1675] ^[strings.txt:6329]
Signing: Authenticode PKCS#7 certificate at raw offset 0x28FE08, size 2176 bytes ^[pefile.txt] ^[binwalk.txt]. Extracted cert: CN=me.muz.li, issuer=R13, valid 2026-05-07 to 2026-08-05 ^[cert.txt]
Sections: Standard Go PE layout — .text (entropy 6.19), .rdata (7.30), .data, .idata, .reloc, .symtab (symbols present, not stripped), .rsrc (icons present, masquerade intact) ^[pefile.txt]

How It Works

Build / RE

The binary follows the documented golang-stealer-build-pattern with no toolchain deviation from prior siblings:

Randomized main package function names (ssahuuggyuorgtw, ecppzih, kixdozthdxgft, rfjkbjeootysv, spsylhv, mectji, Lsqccdjshwxkrqt, sgpcqftnptrtiyx, avblzdavuo, hplrkrbyb, acxqzbqyfhjjpqi, fawqezqxezytt, thzilsldj, linwylufv, ahdfwhrrcrca, bmzxsogevuc, hcinhqctaysk, crpvgsvjpkwvm, qzezlypwabov, hmzyvqq, wcxulejijzlp, mtcobugeag, ifauedgo, rntbmkdslv) ^[r2:sym.main.ssahuuggyuorgtw] ^[r2:sym.main.rntbmkdslv]
.rsrc section contains multiple icons up to 256×256 PNG (rich icon set for social-engineering masquerade as "Pro Setup") ^[pefile.txt] ^[binwalk.txt]
.symtab section present (not stripped) — contains full Go runtime symbols and type information ^[pefile.txt]
No external packer, no anti-debug VM checks in static strings. Standard Go runtime math/rand, crypto/tls, and net/http linked.
Certificate chain identical to siblings 6871848b, c577c6c8, 16a4344d, d5655568, 1bfebf79, f93d8d79 ^[cert.txt]

Deploy / ATT&CK

Static-only inference — CAPE unavailable (no Windows guest) ^[dynamic-analysis.md].

From decompiled main.main at 0x49a540 ^[r2:sym.main.main]:

Pseudo-random seeding: Reads current time, mixes with constants (0xd7b17f80, 0xd, 0x3b9aca00), seeds math/rand RNG ^[r2:sym.main.main]
Intn calls: Generates two random integers (Intn(0x1868f) ≈ 100k, Intn(0x320) = 800) — likely used for C2 domain generation or payload path randomization ^[r2:sym.main.main]
hcinhqctaysk: Performs math.Sin and floating-point transform on RNG output — consistent with PRNG-based string/key decoding observed in prior siblings ^[r2:sym.main.hcinhqctaysk]
rntbmkdslv: Orchestrator function calling rfjkbjeootysv → sgpcqftnptrtiyx → ssahuuggyuorgtw. The latter resolves Windows APIs via syscall._LazyProc_.Call using a concatenated string of API names (Go runtime lazy-loading pattern) ^[r2:sym.main.rntbmkdslv] ^[r2:sym.main.ssahuuggyuorgtw]

Notable absence: No static C2 strings (IP or domain) in the binary. This is a departure from siblings 6871848b–1bfebf79, which embedded 5.252.155.72, laserlogdnsop.icu, hertzfigblob.icu. C2 is likely runtime-decoded using the PRNG output, or fetched from an external source (e.g., a short-lived domain or IP list decoded/updated post-deployment). This is an opsec improvement.

Mapped TTPs (inferred from static + family knowledge):

T1564.003 — Hide Artifacts: Masquerades as legitimate "Pro Setup" installer via rich icon resources ^[pefile.txt]
T1071.001 — Application Layer Protocol: Web (TLS/HTTPS) inferred from crypto/tls + net/http linkage ^[strings.txt]
T1027 — Obfuscated Files or Information: PRNG-based string decoding (no hardcoded C2) ^[r2:sym.main.main]
T1552.001 — Credentials In Files: Family-known browser credential theft (no static confirmation in this sample, but consistent with cluster)

Decompiled Behavior

Radare2 decompilation of main.main (0x49a540) reveals the entry flow:

Seed math/rand with time-derived 64-bit value
Call Intn twice to generate runtime parameters
Pass result through hcinhqctaysk (trigonometric transform)
Enter rntbmkdslv which chains three sub-functions

Decompilation quality is limited — Go binaries compiled with -trimpath and active goroutine runtime produce fragmented pseudo-C with many orphan jumps. The main package functions beyond main.main have randomized names and no recovered type information in r2. No Ghidra deep-dive was available for this session. For string-level detail, the r2 output confirms API-lazy-loading via syscall._LazyProc_.Call with a concatenated name string.

C2 Infrastructure

Static: None observed. No IP addresses, domains, URLs, mutexes, or named pipes in strings output.

Inferred: C2 is runtime-resolved. Given family history, likely TLS over port 443. No further detail from static.

Interesting Tidbits

main.go filename preserved in .gopclntab: yCJjClxMaPcdOeL/main.go — confirms randomized module path convention ^[strings.txt:6292]
ssdeep hash: 49152:NJ/viHNnC7x7l8DKE8RuRqu2LVHGiIpRVNZB99:NJ/viHw7x7lXdRyiER/R9 — near-identical to siblings (block size 49152) ^[ssdeep.txt]
tlsh: 88C58D01FD9784B2E402133299AAA2FF2335AC054F759B97EA587A7EF9776D11C32301 ^[tlsh.txt]
This sample is the first in the cluster to strip static C2 strings entirely — an opsec evolution. Future hunting should focus on the build ID prefix and certificate chain rather than domain indicators.

How To Mess With It (Homelab Replication)

Toolchain: Go 1.26.2, GOARCH=386, GOOS=windows, CGO_ENABLED=0, -trimpath=true, -ldflags="-s -w" to strip symbols (this sample did NOT strip, but you can)

Source skeleton:

package main
import (
    "math/rand"
    "time"
    "math"
    "net/http"
    "crypto/tls"
)
func main() {
    rng := rand.New(rand.NewSource(time.Now().UnixNano()))
    _ = rng.Intn(100000)
    _ = rng.Intn(800)
    _ = math.Sin(float64(rng.Intn(100)))
    // Your C2 logic here
}

Verification: Build and compare go version -m <binary> to match module path randomization pattern.

Deployable Signatures

YARA

rule ACRStealer_Go1262_Signed {
    meta:
        description = "ACR Stealer cluster - Go 1.26.2 signed PE32 with randomized module path"
        author = "PacketPursuit"
        date = "2026-05-29"
        hash = "624f52cc31cd7ae5a311c9800b619386c9fd1a45af11b4e852391699ce36d3d8"
    strings:
        $go_build_id = "Go build ID: \"YK-5mEjbS1w6cBJ47f5b/"
        $go_ver = "go1.26.2"
        $mod_path = /path\t[A-Za-z]{15}\nmod\t[A-Za-z]{15}\t\(devel\)/
        $cert_cn = "me.muz.li" ascii
        $r13 = "R13" ascii
    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

Sigma (process creation)

title: ACR Stealer Execution
status: experimental
description: Detects execution of ACR Stealer signed Go binaries
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '.exe'
        Company|contains: 'me.muz.li'
    condition: selection
falsepositives:
    - None expected (self-signed rogue cert)
level: critical

IOCs

Type	Value	Note
SHA-256	`624f52cc31cd7ae5a311c9800b619386c9fd1a45af11b4e852391699ce36d3d8`	This sample
SHA-1	`7eebfb2755dc0d0123518ef13cb621082a04500a00beece37445f8a177d1d8a5`	`.text` section
ssdeep	`NJ/viHw7x7lXdRyiER/R9`	Cluster fingerprint
TLSH	`88C58D01FD9784B2E402133299AAA2FF2335AC054F759B97EA587A7EF9776D11C32301`
Certificate CN	`me.muz.li`	Self-signed / rogue cert
Certificate Issuer	`R13`	Consistent across cluster
Go build ID prefix	`YK-5mEjbS1w6cBJ47f5b/`	Go 1.26.2 cluster marker
Module path pattern	`^[A-Za-z]{15}$`	Randomized 15-char string
File name	`Pro Setup.exe`	Social engineering masquerade

Behavioral Fingerprint

This binary is a Go 1.26.2 compiled PE32 with a 15-character randomized module path, signed with a self-signed Authenticode certificate (CN=me.muz.li, issuer=R13). On launch it seeds math/rand with the current system time, generates two pseudo-random integers, applies a trigonometric transform, and resolves Windows APIs via Go's lazy syscall loader. No hardcoded C2 strings are present; network destinations are likely runtime-decoded from the PRNG state. Rich icon resources present in .rsrc for installer masquerade.

References

Family page: acrstealer
Build pattern: golang-stealer-build-pattern
Sibling analyses: 6871848b, c577c6c8, 16a4344d, d5655568, 1bfebf79, f93d8d79
CAPE status: skipped — no Windows guest ^[dynamic-analysis.md]

Provenance

file.txt — file command output
pefile.txt — pefile library PE header dump
strings.txt — strings -n 6 (9883 lines)
rabin2-info.txt — radare2 rabin2 -I (Go, signed, PE32)
binwalk.txt — binwalk embedded artefact scan
cert.txt — OpenSSL PKCS#7 cert extraction (CN=me.muz.li, issuer=R13)
dynamic-analysis.md — CAPE sandbox status (skipped)
Radare2 decompilation: main.main @ 0x49a540, main.hcinhqctaysk @ 0x497d60, main.rntbmkdslv @ 0x4984d0, main.ssahuuggyuorgtw @ 0x496350

> Analysis · 624f52cc31cd_