> Analysis · 6871848bb724_

~/packetpursuit $ cat /intel/analyses/6871848bb724.../report.md

typeanalysisfamilyacrstealerconfidencemediumcreated2026-05-26updated2026-05-26infostealercompilersigninggolangc2
SHA-256: 6871848bb724a184e393a734c9de9c17c41da1f26359755696f0df40685c42f2

acrstealer: 6871848b — Signed Go 1.26.2 PE32, randomized module names, C2 5.252.155.72

What It Is

PE32 executable compiled with Go 1.26.2 for Windows (GOARCH=386, CGO_ENABLED=0, -trimpath=true) ^[strings.txt:1673-1683]. The module path is randomized as vcCgXjVCTGAvGkl (devel), a common anti-attribution pattern in Go malware ^[strings.txt:1675]. Signed with an Authenticode certificate embedded at PE security directory offset 0x27EA00 (size 0x880) ^[pefile.txt] ^[rabin2-info.txt]. The .rsrc section contains four icons including a 256×256 PNG, suggesting the binary masquerades as a legitimate application ^[pefile.txt] ^[binwalk.txt].

Family attribution to acrstealer comes from OpenCTI enrichment labels (acrstealer, laserlogdnsop-icu, 5-252-155-72) ^[triage.json]. No CAPE detonation was available at analysis time, so dynamic behavior is inferred from static artefacts and family metadata ^[dynamic-analysis.md].

How It Works

Static decompilation of main.main (Ghidra, 0x0049a570) shows the entry point seeds a math/rand PRNG with time.Now(), then calls two obfuscated main package functions: main.pnmmoiswvrsz and main.giuappbnd ^[ghidra:main.main-0049a570]. The PRNG seeding and randomized function names suggest string or control-flow obfuscation that resolves at runtime, a pattern seen in Go stealers that decode C2 URLs and target file paths on first execution.

Imports are limited to kernel32.dll because the Go runtime resolves additional APIs at load-time via LoadLibraryExW/GetProcAddress ^[pefile.txt]. Capabilities implied by standard-library linkage include crypto/tls (client), net/http, and crypto/x509 ^[strings.txt].

C2 Infrastructure

  • IP: 5.252.155.72
  • Domain: laserlogdnsop.icu

These are extracted from OpenCTI labels, not embedded plaintext in the binary ^[triage.json]. No hardcoded URL strings were visible in the extracted .text or .rdata sections, consistent with runtime-decoded C2 configuration.

Interesting Tidbits

  • Randomized Go module: The build metadata string path\tvcCgXjVCTGAvGkl is not a meaningful module name; it is likely generated per-build to poison dependency-graph tools and hamper attribution ^[strings.txt:1675].
  • Rich icon set: Four icons in .rsrc (sizes up to 256×256) give the binary a realistic application icon, a social-engineering staple for stealers delivered via phishing ^[pefile.txt] ^[binwalk.txt].
  • No UPX / no packer: .text entropy is 6.19, well below packed thresholds; the binary relies on Go’s native obfuscation (trimpath + randomized names) rather than an external packer ^[binwalk.txt].
  • Certificate present but unverified: The PKCS#7 blob at 0x27EA00 contains a certificate chain. Manual extraction failed to parse the full chain (cryptography library returned unexpected-tag errors), so issuer/subject are not confirmed.

Deployable Signatures

YARA

rule ACRStealer_Go126_Signed_PE32
{
    meta:
        description = "ACR Stealer — Go 1.26.2 signed PE32 with randomized module path"
        author = "PacketPursuit"
        date = "2026-05-26"
        hash = "6871848bb724a184e393a734c9de9c17c41da1f26359755696f0df40685c42f2"
    strings:
        $go_build = "go1.26.2" ascii wide
        $mod_path = /path\t[A-Za-z0-9]{12,20}\r?\n/ ascii
        $trimpath = "-trimpath=true" ascii
        $cgo_off  = "CGO_ENABLED=0" ascii
    condition:
        uint16(0) == 0x5A4D and
        $go_build and
        $trimpath and
        $cgo_off and
        #mod_path >= 1 and
        pe.number_of_signatures > 0 and
        pe.number_of_resources >= 2
}

Behavioral Fingerprint

A signed PE32 executable compiled with Go 1.26 (GOARCH=386, CGO_ENABLED=0, -trimpath=true) whose module path is a random alphanumeric string of 15–20 characters. On execution, it resolves kernel32 APIs via LoadLibraryExW/GetProcAddress, seeds a PRNG with the current time, then invokes obfuscated main functions. Network IOCs include 5.252.155.72 and laserlogdnsop.icu.

IOC List

Type Value Source
SHA-256 6871848bb724a184e393a734c9de9c17c41da1f26359755696f0df40685c42f2 triage.json
IP 5.252.155.72 triage.json (OpenCTI label)
Domain laserlogdnsop.icu triage.json (OpenCTI label)
Filename ojujn.exe triage.json
Build go1.26.2, GOARCH=386, CGO_ENABLED=0 strings.txt

References

  • OpenCTI labels: acrstealer, laserlogdnsop-icu, 5-252-155-72, signed, malware-bazaar ^[triage.json]
  • Related wiki page: acrstealer

Provenance

Analysis based on strings.txt, pefile.txt, binwalk.txt, rabin2-info.txt, exiftool.json, triage.json, and dynamic-analysis.md produced by the triage pipeline. Static decompilation performed with pyghidra (Ghidra) on <sample 6871848bb724.bin>. No dynamic execution data available.