> Analysis · c577c6c87bd8_

~/packetpursuit $ cat /intel/analyses/c577c6c87bd8.../report.md

typeanalysisfamilyacrstealerconfidencehighcreated2026-05-27updated2026-05-27infostealercompilersigninggolangc2
SHA-256: c577c6c87bd8a143598000e63d53c8e09b4f7d7a8b8c5de36f7479b5f4411274

acrstealer: c577c6c8 — Signed Go 1.26.2 PE32 sibling, randomized module PfeYrYvazVUGgZq

Executive Summary

Second observed sibling of the ACR Stealer family: a signed PE32 executable compiled with Go 1.26.2 for Windows (GOARCH=386, CGO_ENABLED=0), featuring a randomized module path (PfeYrYvazVUGgZq) and Authenticode certificate. No CAPE detonation was available, so behavior is inferred from static artefacts, radare2 decompilation, and family metadata. It follows the exact build pattern documented for acrstealer sibling 6871848b — see the cluster entity page for shared TTPs.

What It Is

Attribute Value
SHA-256 c577c6c87bd8a143598000e63d53c8e09b4f7d7a8b8c5de36f7479b5f4411274
Filename VKkQj.exe
Size 2,454,656 bytes (2.3 MB)
Type PE32 executable (GUI) Intel 80386, 7 sections ^[file.txt]
Compiler Go 1.26.2, GOARCH=386, GOOS=windows, CGO_ENABLED=0, -trimpath=true ^[strings.txt:1673]
Module PfeYrYvazVUGgZq (devel) — randomized per-build ^[strings.txt:1676]
Build ID Gm1k7JcoxVp1GDUmJ7C_/lto-fbFtS-Vw900YmGo1/HKIDHFFx-UVyn881Slys/igpyh1JmIsK36fGoNnu1 ^[strings.txt:8]
Signed Authenticode certificate embedded at offset 0x256C00, size 0x880 ^[pefile.txt] ^[binwalk.txt]
Resources .rsrc section with icons up to 256×256 PNG (social-engineering masquerade) ^[pefile.txt]
IAT kernel32.dll only (41 imports); Go runtime resolves the rest via LoadLibraryExW/GetProcAddress ^[pefile.txt]

Family attribution is from OpenCTI labels (acrstealer, flur-constzoo-surf, signed) ^[triage.json].

How It Works

Static decompilation of main.main (radare2, 0x0049a520) shows the same control-flow pattern as sibling 6871848b: seed a math/rand PRNG with time.Now(), then invoke a sequence of obfuscated main package functions. The randomized function names (main.divkudpuqx, main.oeqbcteszowuoag, main.mkdzixgwecr, main.hovyjez, etc.) ^[r2:sym.main.main] are meaningless alphanumeric strings, confirming the build-time name randomisation seen in this family.

Standard-library linkage implies runtime use of crypto/tls, net/http, crypto/x509, and crypto/rsa ^[strings.txt:1606], but no hardcoded C2 URL or credential-target strings were found in the extracted .text or .rdata sections. Like the previous sibling, C2 configuration is likely decoded at runtime using the seeded PRNG.

No dynamic execution data is available — CAPE skipped this sample because no Windows guest was online at detonation time ^[dynamic-analysis.md].

Decompiled Behavior

Radare2 decompilation of sym.main.main (address 0x0049a520) reveals:

  1. Stack growth check — calls sym.runtime.morestack_noctxt if the goroutine stack is exhausted ^[r2:sym.main.main].
  2. PRNG seeding — constructs a math/rand.Source via sym.runtime.newobject, then calls sym.math_rand._rngSource_.Seed with values derived from the current timestamp (constants 0x3d1a0000 and 0xa1b203eb appear in the seeding arithmetic) ^[r2:sym.main.main].
  3. Randomised dispatch — invokes sym.math_rand._Rand_.Intn twice (with args 0x1868f and 0x320) to generate indices, then calls main.mkdzixgwecr and main.hovyjez ^[r2:sym.main.main].
  4. No direct syscall or API strings in the decompiled body; all Win32 interaction goes through Go's syscall package wrappers.

C2 Infrastructure

Type Value Source
IP 5.252.155.72 OpenCTI label ^[triage.json]
Domain laserlogdnsop.icu OpenCTI label ^[triage.json]

These IOCs were not found as plaintext strings in the binary. They are consistent with the sibling 6871848b, indicating a shared C2 infrastructure across this build cluster.

Interesting Tidbits

  • Identical build toolchain, different module name: The build fingerprint (go1.26.2, CGO_ENABLED=0, -trimpath=true) is byte-for-byte identical to 6871848b; only the randomized module path differs (vcCgXjVCTGAvGkl vs PfeYrYvazVUGgZq). This is strong evidence of an automated build pipeline that randomises the module name per compilation. ^[strings.txt:1673-1676]
  • Certificate present — the DER-encoded PKCS#7 blob at 0x256C00 is intact, but the issuer chain could not be fully parsed during triage. The cert may be self-signed or from a low-reputation CA. ^[binwalk.txt] ^[pefile.txt]
  • No UPX or external packer.text entropy 6.19, .rdata 7.21. The Go compiler's natural obfuscation (trimpath + randomised names) is sufficient for this family's threat model. ^[pefile.txt]
  • Capa signatures missing — the triage pipeline's capa run failed because the default signature path was not installed ^[capa.txt]; no ATT&CK capability map is available for this sample.

How To Mess With It (Homelab Replication)

To reproduce the build fingerprint:

# Go 1.26.2 on Windows or cross-compile from Linux
go version  # must report go1.26.2

# Create a random module name (15–20 chars)
MOD=$(tr -dc 'A-Za-z0-9' </dev/urandom | head -c 18)
mkdir /tmp/$MOD && cd /tmp/$MOD
go mod init $MOD

# Build with the same flags observed in both siblings
go build -trimpath -ldflags "-s -w -buildid=Gm1k7JcoxVp1GDUmJ7C_/lto-fbFtS-Vw900YmGo1/HKIDHFFx-UVyn881Slys/igpyh1JmIsK36fGoNnu1" -o repro.exe .

Verification: Run rabin2 -I repro.exe and confirm lang: go, signed: false (unless you sign it), and go build ID matches the pattern. Strings output should show go1.26.2, CGO_ENABLED=0, -trimpath=true, and your randomized module path.

Deployable Signatures

YARA

rule ACRStealer_Go126_Sibling_c577c6c8
{
    meta:
        description = "ACR Stealer sibling — Go 1.26.2 signed PE32 with randomized module"
        author = "PacketPursuit"
        date = "2026-05-27"
        hash = "c577c6c87bd8a143598000e63d53c8e09b4f7d7a8b8c5de36f7479b5f4411274"
    strings:
        $go_build = "go1.26.2" ascii wide
        $trimpath = "-trimpath=true" ascii
        $cgo_off  = "CGO_ENABLED=0" ascii
        $mod_path = /path\t[A-Za-z0-9]{12,20}\r?\n/ ascii
        $buildid1 = "Gm1k7JcoxVp1GDUmJ7C_" ascii
        $buildid2 = "lto-fbFtS-Vw900YmGo1" ascii
    condition:
        uint16(0) == 0x5A4D and
        $go_build and
        $trimpath and
        $cgo_off and
        (#mod_path >= 1 or $buildid1 or $buildid2) and
        pe.number_of_signatures > 0 and
        pe.number_of_resources >= 2
}

Behavioral Fingerprint

A 2.3–2.5 MB signed PE32 executable compiled with Go 1.26 (GOARCH=386, CGO_ENABLED=0, -trimpath=true) whose Go module path is a random 15–20 character alphanumeric string. On launch it seeds a math/rand PRNG with the current system time, allocates a rand.Source object, then dispatches into obfuscated main.* functions with randomized names. Network beacons (when observed dynamically) target 5.252.155.72 or laserlogdnsop.icu over TLS. No hardcoded C2 strings exist in the binary — they are runtime-decoded.

IOC List

Type Value Source
SHA-256 c577c6c87bd8a143598000e63d53c8e09b4f7d7a8b8c5de36f7479b5f4411274 triage.json
Filename VKkQj.exe triage.json
Build go1.26.2, GOARCH=386, CGO_ENABLED=0 strings.txt
Module PfeYrYvazVUGgZq strings.txt
IP 5.252.155.72 triage.json
Domain laserlogdnsop.icu triage.json

Detection Signatures

Capa signature installation was missing during triage, so no automated capability mapping is available ^[capa.txt]. Based on standard-library linkage and family behaviour, the following MITRE ATT&CK techniques are inferred:

Technique ID Evidence
Application Layer Protocol: Web T1071.001 crypto/tls + net/http in strings ^[strings.txt:1606]
Exfiltration Over C2 Channel T1041 family metadata + TLS client linkage (inferred)
File and Directory Discovery T1083 infostealer family behaviour (inferred)
Masquerading T1036.005 signed PE with rich .rsrc icons ^[pefile.txt]

References

  • OpenCTI labels: acrstealer, flur-constzoo-surf, 5-252-155-72, signed, malware-bazaar ^[triage.json]
  • Cluster entity page: acrstealer
  • Build-pattern concept: golang-stealer-build-pattern
  • Prior sibling analysis: /intel/analyses/6871848bb724a184e393a734c9de9c17c41da1f26359755696f0df40685c42f2.html

Provenance

Analysis based on strings.txt, pefile.txt, binwalk.txt, rabin2-info.txt, exiftool.json, triage.json, metadata.json, dynamic-analysis.md, and yara.txt produced by the triage pipeline. Radare2 decompilation (mcp_radare2) at main.main (0x0049a520). No dynamic execution data available.