> Analysis · a7b9f3dda435_

~/packetpursuit $ cat /intel/analyses/a7b9f3dda435.../report.md

typeanalysisfamily9d2ca3confidencemediumcreated2026-06-02updated2026-06-02malware-familypegolangobfuscationsigningc2defense-evasionloader
SHA-256: a7b9f3dda435b7f2d0dfbd1e0c8d50cb824cb60fe3343a61a5fd6aa643763c4e

9d2ca3: a7b9f3dd — Go 1.25.4 PE64 infostealer with randomized module path and fabricated Authenticode

Contradiction alert: This sample carries the OpenCTI label 9d2ca3 but is built with Go 1.25.4, not MinGW-w64. The existing 9d2ca3 entity page describes a MinGW dropper cluster; this analysis extends that entity to cover the Go second-stager variant also dropped by Amadey. See the "Build / RE" section for provenance. ^[metadata.json]

Executive Summary

A Go 1.25.4 PE64 binary dropped by the Amadey downloader botnet. It uses a randomized module path (uyiUNvZdvAGQnhv) and 28 randomized main-package function names as structural obfuscation. Embedded PKCS#7 Authenticode is present but uses a fabricated issuer (WE1) — not a recognized CA. No C2 IOCs are recoverable from static strings; they are likely runtime-decoded. No CAPE detonation was possible (no Windows guest available). ^[file.txt] ^[metadata.json]

What It Is

  • SHA-256: a7b9f3dda435b7f2d0dfbd1e0c8d50cb824cb60fe3343a61a5fd6aa643763c4e ^[metadata.json]
  • File type: PE32+ executable (GUI) x86-64, 8 sections ^[file.txt]
  • Size: 2,531,968 bytes ^[exiftool.json]
  • Toolchain: Go 1.25.4 (go1.25.4), gc compiler, CGO_ENABLED=0, GOOS=windows, GOARCH=amd64, trimpath=true ^[strings.txt:1915] ^[strings.txt:6171]
  • Module path: uyiUNvZdvAGQnhv (randomized) ^[strings.txt:1917]
  • Build ID: -uKTRX6gt0eMoiOZ5OAQ/c7Guepxadhh77n_TW_nS/JNCVdgP89AY7sVdbtIDT/ApH5-HIvMm1Vm38cMe0b ^[strings.txt:9]
  • Entry point: 0x743a0 (Go runtime entry inside .text) ^[pefile.txt:50]
  • Timestamp: 0x0 (Thu Jan 1 00:00:00 1970 UTC) — timestamps stripped, standard for Go binaries ^[pefile.txt:34]

Build / RE

Toolchain & format

The binary is a standard Go exe build for Windows amd64. The .text section is 680 KB (entropy 6.24), .rdata is 1.6 MB (entropy 6.93 housing Go type tables and string blobs), .data is 360 KB (entropy 4.55 — typical for Go globals), .idata is tiny at 0x53E bytes (kernel32-only import table). ^[pefile.txt:77-200]

A .symtab section is present (DISCARDABLE, 0x1B200 bytes) — the Go symbol table was not stripped, revealing all 28 main-package function names. ^[pefile.txt:217-235]

Signing

IMAGE_DIRECTORY_ENTRY_SECURITY at raw offset 0x269A00, size 0x880. ^[pefile.txt:251-253] The embedded PKCS#7 blob (WIN_CERT type 0x0200) contains a leaf certificate with:

  • Subject CN: askart.com
  • Issuer CN: WE1
  • Validity: Apr 14 2026 – Jul 13 2026

The issuer WE1 does not match any known public CA intermediate; combined with a 91-day validity window matching free DV certificate lifecycles, this is assessed as fabricated Authenticode. The certificate was extracted and parsed programmatically from the PE security directory.

Anti-analysis

No debugger or VM detection was found in static strings. The anti-analysis comes from structural choices:

  • Randomized module path and function names defeat naive signature matching.
  • No .rsrc section — no icon or VS_VERSIONINFO masquerade.
  • No hardcoded C2 in strings — C2 strings/runtime config are decoded at launch.

28 randomized main-package functions were recovered from .symtab: main.Jtruwhtr, main.Dqkwrkrcvdh, main.Nhvtoykmcbvizlr, main.Lgkyftkknopn, main.Tcwmeky, main.Vqtiqjtgb, main.Rkscskboyuu, main.Crfnsgapcjat, main.Bqcszgaysa, main.Ybdmrnakla, main.Hmxqgctcfscoca, main.Mmvmsok, main.Qlhroxyzyxhoka, main.Rsibyelcuv, main.Kjqjjof, main.Ubmlptvwknp, main.Tuloecsict, main.Yuzkqxppet, main.Wgagde, main.Icunluzrmk, main.Ijumpthohacdqy, main.Iemehhrvfdgwfl, main.crtdtputjqebj, main.czgdzbapgw, main.qjczvwr, main.znlzqzbimcvff, main.bkhsrilq, main.cpcilef, main.njcqkvnjvx ^[strings.txt:5918-5931]

Notable functions

From radare2 decompilation:

  • main.main — seeds math/rand via time.Now() nanoseconds, then serially invokes ~20 randomized-name functions before entering an infinite for loop. ^[r2:sym.main.main]
  • main.Jtruwhtr — allocates a slice of 100 integers, fills each with math_rand.Intn(1000), sums them, then loops 0x1000 times doing no-op increments. Appears to be junk/sandbox-delay code. ^[r2:sym.main.Jtruwhtr]
  • main.crtdtputjqebj — loads a syscall._LazyProc_ for "VirtualAlloc" via string concatenation of runtime symbol names and calls it with fixed arguments. This is a Go syscall LazyProc resolver wrapper. ^[r2:sym.main.crtdtputjqebj]
  • main.czgdzbapgw — heavy bit manipulation on a byte slice: r12w >>>= 0xc, r10d &= 0xfff, word-level add/sub operations. This is a string/byte decoder or lightweight deobfuscation routine. ^[r2:sym.main.czgdzbapgw]

No PE-injection or process-hollowing imports were found in the IAT (only standard kernel32 + CRT runtime APIs). Any injection behaviour would use the Go syscall package via LazyProc resolution at runtime.

Deploy / ATT&CK

No dynamic detonation was performed (CAPE skipped: no Windows guest). All TTPs below are inferred from static + decompiled behaviour.

Technique ID Evidence
Software Packing T1027.002 String decoding at runtime via main.czgdzbapgw; no plaintext C2 strings ^[r2:sym.main.czgdzbapgw]
Reflective Code Loading (inferred) T1620 LazyProc resolution of VirtualAlloc suggests in-memory payload staging ^[r2:sym.main.crtdtputjqebj]
Masquerading T1036.001 Fabricated Authenticode certificate (CN=askart.com, issuer=WE1)
Sandbox Evasion T1497.001 Junk loops in main.Jtruwhtr and lack of static C2 impede sandbox analysis
System Information Discovery T1082 os.Hostname, GetCurrentProcessId, GetSystemInfo present in Go runtime import graph ^[strings.txt:5921]

C2 Infrastructure

No hardcoded IPs, domains, URLs, or Telegram/Discord handles were recovered in static strings. C2 infrastructure is runtime-decoded — consistent with the Go infostealer build pattern observed in siblings such as acrstealer and lummastealer.

Interesting Tidbits

  • This sample is the first Go sibling observed under the 9d2ca3 label; the other documented 9d2ca3 sample (2d39ed5e) is MinGW-w64. OpenCTI groups Amadey-dropped second-stagers under one internal label regardless of build toolchain.
  • The .symtab section is preserved, making the Go symbol names fully recoverable. This is unusual for malware that otherwise invests in randomized names; it suggests the builder did not run go build -ldflags="-s -w".
  • Entropy of .rdata is 6.93, close to the ceiling for an 8.0 scale, driven by Go's dense type metadata and string tables.
  • rabin2 reports overlay: true and signed: true; the overlay is the appended Go buildinfo (0x1b0e8 bytes) plus the PKCS#7 signature. ^[rabin2-info.txt]

How To Mess With It (Homelab Replication)

Reproduce the static fingerprint with a minimal Go program:

// main.go
package main

import (
    "fmt"
    "math/rand"
    "os"
    "time"
)

func main() {
    rand.Seed(time.Now().UnixNano())
    _ = os.Hostname()
    fmt.Println("done")
}

Build:

GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build   -trimpath -ldflags="-s -w"   -o repro.exe main.go

If you strip -ldflags="-s -w", the .symtab will be preserved just like this sample. Verify with rabin2 -I repro.exe — should show lang: go, overlay: true, signed: false.

Deployable Signatures

YARA rule

rule go_9d2ca3_amadey_dropper {
    meta:
        description = "Go 1.25+ Amadey-dropped second-stager with randomized module path"
        author = "PacketPursuit"
        date = "2026-06-02"
        hash = "a7b9f3dda435b7f2d0dfbd1e0c8d50cb824cb60fe3343a61a5fd6aa643763c4e"
    strings:
        $go_buildinfo = "Go build ID: "" ascii
        $go125 = "go1.25" ascii
        $mod_path = "path	" ascii
        $mod_ver = "mod	" ascii
        $rand_seed = "math/rand.(*lockedSource).seed" ascii
        $virtual_alloc = "VirtualAlloc" ascii
    condition:
        uint16(0) == 0x5A4D and
        $go_buildinfo and
        $go125 and
        $mod_path and
        $mod_ver and
        $rand_seed and
        $virtual_alloc and
        filesize > 2MB and filesize < 4MB
}

IOC list

Indicator Type Note
a7b9f3dda435b7f2d0dfbd1e0c8d50cb824cb60fe3343a61a5fd6aa643763c4e SHA-256 This sample
askart.com Certificate CN Fabricated Authenticode subject
WE1 Certificate issuer Fabricated CA name
uyiUNvZdvAGQnhv Go module path Randomized; unique per build

Behavioral fingerprint

This binary is a Go 1.25.4 PE64 with a kernel32-only import table, no .rsrc section, and a preserved Go symbol table containing ~28 randomized main-package function names. On launch it seeds math/rand with wall-clock nanoseconds, executes a series of short randomized-name functions (some performing junk loops of 0x1000–0x10000 iterations), resolves VirtualAlloc via the Go syscall LazyProc mechanism, and then enters an idle loop. Any network C2 or payload download behaviour is runtime-decoded and not visible in static analysis.

Detection Signatures

No capa or floss output was available for this sample; capability assessment relies on decompilation and string analysis.

References

  • /intel/analyses/a7b9f3dda435b7f2d0dfbd1e0c8d50cb824cb60fe3343a61a5fd6aa643763c4e.html — this report
  • 9d2ca3 — Entity page for the Amadey-dropped family
  • golang-stealer-build-pattern — Recurring Go build artefacts observed across this cluster

Provenance

Analysis performed with:

  • rabin2 (radare2) — binary metadata, Go detection ^[rabin2-info.txt]
  • strings + grep — string extraction and keyword search ^[strings.txt]
  • pefile.py — PE header and section analysis ^[pefile.txt]
  • radare2 (level-3 auto-analysis) — function listing and decompilation ^[r2:*]
  • PyGhidra import — Golang buildinfo extraction (Build ID, module path, compiler flags) ^[ghidra:metadata]
  • OpenSSL — PKCS#7 certificate extraction and parsing from IMAGE_DIRECTORY_ENTRY_SECURITY
  • No capa or floss available (tooling not configured)
  • CAPE detonation skipped — no Windows guest available ^[dynamic-analysis.md]