familyorderreshopconfidencemediuminfostealergolangpe-overlay-parserprng-seeded-string-decode

SHA-256: 6f6f052595b109f4e8fdf42644b98f6380635f3f45f280cf85aacf6e30e30d2e

orderreshop: 6f6f0525 — Go infostealer with custom PE parser and multi-pass string decoder

Executive Summary

Go-based PE64 infostealer matching the golang-stealer-build-pattern. Notable for a custom in-memory PE parser (main.tnlzbjjyqfzrdbk) that maps IMAGE_SECTION_HEADER arrays into Go structs, and a multi-pass byte-transformation decoder (main.feulitaukwilqj) used for runtime string/C2 extraction. Zero hardcoded network indicators in static strings; C2 is decoded at execution. No CAPE detonation available, so all TTPs below are statically inferred.

What It Is

Format: PE32+ executable (GUI) x86-64, 9 sections, ~2.2 MB ^[file.txt]
Language: Go (stripped, statically linked, CGO_ENABLED=0) ^[rabin2-info.txt:17]
Module path: pOWbqmsqqaxxzqH (randomized 15-char alpha string) ^[strings.txt:1870]
Timestamp: 0x0 (1970-01-01) across all PE headers — Go linker default, also strips compile-time attribution ^[pefile.txt:0x88]
Signing: Security directory present (0x8D0 bytes at RVA 0x1CD800) but PKCS#7 extraction inconclusive from static inspection alone; treat as unverified ^[pefile.txt:271]
Entropy: .text 6.27, .rdata 6.22, .data 4.38 — no heavy packing or encryption of sections ^[pefile.txt:.text, .rdata, .data]
IAT surface: Exclusively kernel32.dll (WriteFile, VirtualAlloc, SetErrorMode, etc.); no ws2_32, wininet, crypt32, or cryptui imports — networking and crypto are entirely statically compiled from Go stdlib ^[rabin2 -i output]

How It Works

The binary is a statically-linked Go executable with a randomized main package path, consistent with the build pipeline documented on golang-stealer-build-pattern. Entry point main.main dispatches through a trampoline chain that fans out to multiple similarly-sized functions, a mild control-flow flattening technique.

Decompiled Behavior

Entry dispatcher: main.main → main.bqkfrwwpsa → {main.xxkmcj, main.flnnzujk, main.tnlzbjjyqfzrdbk}... Each function is a tiny trampoline with a unique jump/switch pattern; all three eventually converge on the same inner logic chain. This is lightweight obfuscation typical of Go binaries compiled with randomized symbol names ^[ghidra:main.main, main.bqkfrwwpsa, main.xxkmcj, main.flnnzujk]
Custom PE parser (main.tnlzbjjyqfzrdbk): Validates MZ magic (0x5a4d), walks e_lfanew to the PE signature (0x4550), probes the optional header Magic field (0x10b for PE32 vs 0x20b for PE32+), and copies the entire IMAGE_SECTION_HEADER array (0x28 bytes per entry) into a Go slice allocated via runtime_makeslice ^[ghidra:main.tnlzbjjyqfzrdbk]. Likely used to locate embedded payloads or map its own image for in-memory patching.
String/C2 decoder (main.feulitaukwilqj): Receives a buffer, its length, and a key argument. Applies a multi-pass transformation: alternating ADD/SUBTRACT/XOR per-byte operations keyed by the argument, followed by an index-based swap reversal, a byte-wide SHIFT subtraction, and a final XOR-against-index pass ^[ghidra:main.feulitaukwilqj]. Structure matches a resource-unpacking or C2-string-decryption routine.
Helper (main.Odmcnstyb): Called by the PE parser for little-endian DWORD reads.

C2 Infrastructure

No static indicators: Zero resolved C2 strings in FLOSS output, radare2 string scan, or raw ASCII/Unicode strings ^[floss.txt, strings.txt]
Dynamic resolution only: C2 likely decoded at runtime via main.feulitaukwilqj or a sibling routine. Without the key or dynamic execution, plaintext is unreachable from static inspection.
Protocol inference: Hard dependency on net/http, crypto/tls, and crypto/x509 from Go stdlib (confirmed by runtime type strings) implies HTTPS C2 channels. No direct IP, domain, or Telegram/Discord webhook strings are present in the binary.

Interesting Tidbits

The only non-stdlib Go source paths are pOWbqmsqqaxxzqH/main.go and iter/iter.go. The iter package was introduced in Go 1.23 (experimental generics), constraining the compiler to >= 1.23. Field references to runtime.coro, runtime.note, runtime.mspan, and godebug.setting are consistent with Go 1.26.2 as seen in sibling acrstealer samples, but without buildinfo we mark this as "matching the ACR build pattern" rather than confirming the exact version.
The .rsrc section contains a standard Windows icon group, suggesting social-engineering masquerade (same tactic as ACR Stealer siblings).
The binary contains exactly two user source files (main.go and iter/iter.go), meaning the actual stealer logic is compact — the majority of the 2.2 MB is the Go runtime and standard libraries.
Control-flow flattening is minimal: the trampolines are small and the flattened graph is easily traversable in Ghidra. The real obfuscation is the string-decoder and the absence of C2 artifacts in memory.

Deployable Signatures

YARA

rule orderreshop_go_stealer {
    meta:
        description = "Go-based info-stealer matching OrderReshop / ACR build pattern"
        author = "PacketPursuit"
        date = "2026-05-28"
        hash = "6f6f052595b109f4e8fdf42644b98f6380635f3f45f280cf85aacf6e30e30d2e"
    strings:
        $mod_devel = /mod\t[a-zA-Z]{15}\t\(devel\)/ ascii wide
        $main_go    = /[a-zA-Z]{15}\/main\.go/ ascii wide
        $s_iter     = "iter/iter.go" ascii wide
        $s_runtime_coro = "*runtime.coro" ascii wide
        $s_godebug_setting = "*godebug.setting" ascii wide
        $s_mspan    = "*runtime.mspan" ascii wide
    condition:
        uint16(0) == 0x5a4d and
        filesize < 3MB and
        $mod_devel and
        $main_go and
        $s_iter and
        2 of ($s_runtime_coro, $s_godebug_setting, $s_mspan)
}

Behavioral Fingerprint

"PE64 GUI executable with a minimal IAT restricted to kernel32.dll, yet containing Go runtime strings for net/http, crypto/tls, and crypto/x509. No hardcoded C2 indicators in process memory at launch. Expects to decode an HTTPS endpoint at runtime via a multi-pass XOR/ADD/SWAP routine before POSTing collected credentials. Often carries a .rsrc icon group for social-engineering masquerade."

IOC List

Type	Value	Notes
SHA-256	`6f6f052595b109f4e8fdf42644b98f6380635f3f45f280cf85aacf6e30e30d2e`	This sample
Build Pattern	`pOWbqmsqqaxxzqH`	Randomized module path
Family Name	`orderreshop`	Triage pipeline ascription

Detection Signatures

MITRE ATT&CK: T1071.001 (Application Layer Protocol: Web Protocols) — inferred from net/http + crypto/tls static linkage ^[rabin2-info.txt, strings.txt]
MITRE ATT&CK: T1005 (Data from Local System) — custom PE parser enables in-memory data location ^[ghidra:main.tnlzbjjyqfzrdbk]
MITRE ATT&CK: T1027 (Obfuscated Files or Information) — multi-pass byte transformation obscures embedded strings/C2 ^[ghidra:main.feulitaukwilqj]
MITRE ATT&CK: T1564.003 (Hide Artifacts: Hidden Window) — GUI subsystem with social-engineering icon masquerade ^[pefile.txt:.rsrc, file.txt:GUI]

References

Sibling family analysis: acrstealer
Build pattern concept: golang-stealer-build-pattern

Provenance

Static analysis performed on 6f6f052595b109f4e8fdf42644b98f6380635f3f45f280cf85aacf6e30d30d2e.bin using:

radare2 (rabin2 -I -i -R -z -S) for headers, imports, relocs, strings, sections
Ghidra via pyghidra-mcp for decompilation of main.main, main.bqkfrwwpsa, main.xxkmcj, main.flnnzujk, main.tnlzbjjyqfzrdbk, main.feulitaukwilqj
Python strings extraction + line-number grep for evidence markers
No CAPE detonation available (skipped — no windows guest online)

> Analysis · 6f6f052595b1_