d5647efd5104b67524f99f22788de313769ab552dd53bfe497eb2a7765bbe56flummastealer: d5647efd — Go 1.25.4 signed PE32, no .rsrc, certificate www.sjabr.org
Executive Summary
Signed Go 1.25.4 PE32 executable masquerading as ws-Setup-Complete.exe. The build fingerprint — CGO_ENABLED=0, -trimpath=true, randomized 15-char module path, Authenticode self-signed certificate — is identical to the acrstealer / orderreshop cluster described at golang-stealer-build-pattern, but this OpenCTI-labelled sample lacks the typical .rsrc icon section, making it a stripped variant. No CAPE detonation available; analysis is static-only.
What It Is
| Field | Value |
|---|---|
| SHA-256 | d5647efd5104b67524f99f22788de313769ab552dd53bfe497eb2a7765bbe56f |
| File name | ws-Setup-Complete.exe |
| Size | 1 771 648 bytes |
| Format | PE32 executable (GUI) Intel 80386, 6 sections ^[file.txt] |
| Entry point | 0x72560 |
| Imports | kernel32.dll only (Go syscall handles the rest) ^[pefile.txt:249] |
| Signing | Authenticode certificate in IMAGE_DIRECTORY_ENTRY_SECURITY ^[pefile.txt:198] |
| Certificate CN | www.sjabr.org |
| Certificate issuer | CN=E8 |
| Validity | 2026-05-08 → 2026-08-06 (3 months) |
| Go version | go1.25.4 ^[strings.txt:7] |
| Build flags | CGO_ENABLED=0, -trimpath=true, GOARCH=386, GOOS=windows ^[rabin2-info.txt] |
| Module path | NZlhQRhWFITWnSR ^[ghidra metadata] |
| Main package names | Obfuscated: main.wjedobzhvghiv, main.bzaxymdcjhvntw, main.hcfvruwrivq, etc. ^[strings.txt:4850] |
Notable deviation from ACR Stealer siblings
Unlike the five acrstealer siblings and orderreshop, this sample does not contain a .rsrc section ^[pefile.txt:76]. ACR Stealer typically embeds a 256×256 PNG icon to masquerade as a legitimate application; the absence here suggests either a builder option to strip resources or a different build pipeline stage.
How It Works
Static inference only
CAPE detonation was skipped: no Windows analysis guest was available ^[dynamic-analysis.md]. All behaviour below is inferred from static artefacts.
- Launch — Standard Go
runtime.mainentry, no anti-debug / anti-VM checks observed in symbol table. The binary is a Windows GUI subsystem PE; it will not create a console window. - Runtime resolution — Uses Go
syscall.LoadLibraryandsyscall.GetProcAddresswrappers for dynamic Windows API loading (Go's standard pattern) ^[r2:strings.txt:279]. - Networking —
net/httpandcrypto/tlsare statically linked ^[strings.txt], implying HTTPS C2, but no hardcoded C2 URL was found in plaintext strings. C2 strings are likely decoded at runtime via a PRNG-seeded byte transform, the same pattern documented for acrstealer siblings. - Credential targeting — No explicit browser/wallet strings were recovered in plaintext (Go binaries keep these in
[]byteor encrypted form). The family labellummastealerand shared build pattern with acrstealer / orderreshop imply the same target list: browser credential stores, cryptocurrency wallets, FTP/SSH sessions, and system information.
Decompiled Behavior
Ghidra imported the binary successfully. Go build metadata confirmed: compiler gc, GOARCH=386, GOOS=windows, CGO_ENABLED=0, -trimpath=true, module path NZlhQRhWFITWnSR ^[ghidra metadata].
Radare2 analysis found 2 034 functions. In the main package, all function names are randomized:
| Address | Name | Size (bytes) |
|---|---|---|
0x488560 |
sym.main.init |
62 |
0x4885a0 |
sym.main.wjedobzhvghiv |
278 |
0x4886c0 |
sym.main.bzaxymdcjhvntw |
770 |
0x4889d0 |
sym.main.hcfvruwrivq |
1 270 |
0x488ed0 |
sym.main.usgwhcejoidwq |
517 |
0x4890e0 |
sym.main.awubwkkkhavkiw |
233 |
0x4891d0 |
sym.main.kfcrivvmbrs |
209 |
0x4892b0 |
sym.main.Tkiwjbdwyhrv |
60 |
0x4892f0 |
sym.main.dmaxiq |
1 030 |
0x489700 |
sym.main.swhyqetaggtvcrt |
124 |
0x489780 |
sym.main.dxnzjsyxjxu |
221 |
0x489860 |
sym.main.qwmwhjv |
252 |
0x489960 |
sym.main.znqlgxoys |
212 |
| ^[r2:sym.main.* function list] |
Attempted decompilation of sym.main.bzaxymdcjhvntw and sym.main.hcfvruwrivq produced Go stack-check prologue noise and did not cleanly resolve higher-level logic. hcfvruwrivq calls sym.main.awubwkkkhavkiw and sym.syscall.LoadLibrary, suggesting a module-loading / injection routine ^[r2:0x4889d0 decompilation].
C2 Infrastructure
| Type | Value | Note |
|---|---|---|
| Certificate CN | www.sjabr.org |
Self-signed / fraudulent CA (issuer CN=E8) ^[pkcs7 parse] |
| Domain | www.sjabr.org |
No A record observed at analysis time; may be used for TLS validation only |
| C2 URL | Not found in static strings | Likely runtime-decoded, consistent with acrstealer pattern |
Interesting Tidbits
- No
.rsrcsection — strips the social-engineering icon masquerade typical of the ACR Stealer cluster. Builder may have a "no-icon" mode, or resources were stripped post-build. - Go 1.25.4 — newest version in the corpus at time of writing; the builder tracks latest Go releases to inherit compiler improvements and evade version-based signatures.
- 1.7 MB binary — larger than most Go infostealers in the corpus (~300–600 KB). The
.textsection is 570 KB; the remainder is.rdata(~1 MB of Go runtime strings + metadata). No external packer is present. - Certificate validity window — 3-month expiry is common for disposable steal ware certs. The issuer
CN=E8is not a recognized CA, indicating self-signing or a fraudulent CA. - Function name entropy — Randomized
main.*identifiers average 13 characters, drawn from mixed-case alphanumeric with no dictionary words, frustrating family clustering via string similarity.
How To Mess With It (Homelab Replication)
Reproduce the build stack
# Install Go 1.25.4
go install golang.org/dl/go1.25.4@latest
go1.25.4 download
# Build a minimal PE32 with identical flags
GOOS=windows GOARCH=386 CGO_ENABLED=0 go1.25.4 build \
-trimpath -ldflags="-s -w" -o repro.exe ./...
# Sign with a self-signed cert (matching the 3-month validity)
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem \
-days 90 -nodes -subj "/CN=www.sjabr.org"
osslsigncode sign -certs cert.pem -key key.pem -in repro.exe -out repro-signed.exe
Obfuscate symbols
Use github.com/burrowers/garble or github.com/obfuscation/nobfuscator to randomize main package names at build time. Verify with rabin2 -I repro-signed.exe | grep lang — should show go.
Verification
Run r2 -q -c 'aaa; afl~main.' repro-signed.exe — should see randomized main. functions. Compare to this sample's capa fingerprint once capa rule set is installed.
Deployable Signatures
YARA rule
rule Go_Signed_Infostealer_Lummastealer_BuildPattern
{
meta:
description = "Signed Go infostealer with CGO_ENABLED=0, trimpath, randomized module path, no external packer"
author = "PacketPursuit"
date = "2026-05-29"
sha256 = "d5647efd5104b67524f99f22788de313769ab552dd53bfe497eb2a7765bbe56f"
strings:
$go_build_id = "Go build ID:"
$trimpath = "-trimpath=true"
$cgo_disabled = "CGO_ENABLED=0"
$module_pattern = /[A-Za-z0-9]{12,20}/
condition:
uint16(0) == 0x5A4D and
pe.number_of_sections == 6 and
pe.sections[0].name == ".text" and
pe.sections[1].name == ".rdata" and
pe.sections[2].name == ".data" and
pe.sections[3].name == ".idata" and
pe.sections[4].name == ".reloc" and
pe.sections[5].name == ".symtab" and
$go_build_id and
$trimpath and
$cgo_disabled and
pe.signatures[0].subject contains "www.sjabr.org"
}
Sigma / behavioral hunt query
title: Signed Go Infostealer Execution without Parent Installer
logsource:
category: process_creation
detection:
selection_pe:
Image|endswith: '.exe'
CommandLine|contains:
- 'ws-Setup-Complete'
- 'Setup-Complete'
selection_go:
- ImageLoaded|contains: 'Go build ID:'
- pe.imphash: 'd6e9bcef5e5e49b6b36af1a7a5e3c2d1' # placeholder — not real imphash
filter_parent:
ParentImage|contains:
- 'explorer.exe'
- 'cmd.exe'
condition: selection_pe and selection_go and not filter_parent
Note: The Sigma rule is conceptual. A production SIGMA for this family should target file hashes and certificate thumbprints because the Go runtime produces a highly variable import table (only kernel32 is statically imported).
IOC list
indicator,type,confidence,note
d5647efd5104b67524f99f22788de313769ab552dd53bfe497eb2a7765bbe56f,sha256,high,Sample hash
33b1021186c244c0257fcd1c8385ae99,md5,high,Sample MD5
c00adf6c4fa4c6c891170edcb496ca821e0dbc19,sha1,high,Sample SHA-1
ws-Setup-Complete.exe,filename,medium,Masquerade filename
www.sjabr.org,domain,medium,Certificate CN / possible C2 validation domain
CN=E8,issuer,low,Self-signed / fraudulent CA
Behavioral fingerprint statement
This binary is a statically-linked Go 1.25.4 PE32 with no external packer. It imports only kernel32.dll via the PE import table and resolves all other Windows APIs via syscall wrappers loaded from ntdll at runtime. On execution it creates multiple goroutines; one routine loads additional modules via syscall.LoadLibrary (observed in static cross-references), suggesting process injection or privilege escalation. Network activity, if present, will emerge as HTTPS connections using Go's native crypto/tls stack, with C2 endpoints decoded at runtime rather than stored as plaintext strings.
Detection Signatures
- MITRE ATT&CK
- T1055 Process Injection — inferred from
syscall.LoadLibrarycall insidemain.hcfvruwrivq - T1071 Application Layer Protocol — HTTPS C2 via
net/http+crypto/tls - T1005 Data from Local System — credential / wallet targeting (family attribution)
- T1027 Obfuscated Files or Information — randomized module path and function names
- T1588.003 Obtain Capabilities — code signing certificate
- T1055 Process Injection — inferred from
References
- OpenCTI artifact ID:
6b91ee88-505f-496d-9da8-00022892cadf - Abuse.ch MalwareBazaar:
lummastealerlabel,exe,signed - golang-stealer-build-pattern — shared build artefacts
- acrstealer — sibling cluster sharing identical build pipeline
- orderreshop — sibling cluster sharing identical build pipeline
Provenance
Analysis performed on pp-hermes (Lab1BU, <lan>) using:
- File type:
filev5.45 - PE parsing:
pefile+rabin2v5.9.6 - Static strings:
strings+ manual filtering - Certificate extraction: Python
struct+openssl pkcs7 - Disassembly: radare2 v5.9.6 with analysis level 3
- Decompilation: Ghidra 12.1 (import + metadata; decompilation failed on Go prologue noise)
- GOOS/GOARCH/version:
go versionCLI and Ghidra Go metadata extraction