acrstealer: f93d8d79 — Signed Go 1.26.2 sibling with stripped .rsrc, module gesiimdPYMojqEh

Executive Summary

Sixth observed sibling in the ACR Stealer cluster. Signed Go 1.26.2 PE32 (GOARCH=386, CGO_ENABLED=0) with randomized module path gesiimdPYMojqEh and ~25 randomized main.* function names. Distinctive delta: no .rsrc section — unlike all five prior siblings which carried 256×256 PNG icon resources for social-engineering masquerade. Same me.muz.li / R13 certificate chain. C2 strings are runtime-decoded (static-only analysis; no CAPE detonation available).

What It Is

• SHA-256: f93d8d79ae62c9864e53e5abf92f5c905c358b6ac397c69418765a303947c1d1
• Filename: uRgOy.exe ^[triage.json]
• Type: PE32 executable (GUI) Intel 80386, 6 sections ^[file.txt] ^[pefile.txt]
• Size: 2,392,192 bytes (2.4 MB)
• Entry Point: 0x7EFA0 ^[pefile.txt]
• Compiler: Go 1.26.2 (go1.26.2 build string) ^[strings.txt:1672]
• Build ID: k6J4cJja3cx9K_ZHNqr6/k13w__TYelUMWVjpZn_G/txioJ9KCWotbqkjpEpah/UHt_yAS-20VnqT5X55PW ^[strings.txt:7]
• Module path: gesiimdPYMojqEh (15-character randomized alphanumeric) ^[strings.txt:1674]
• Signed: Authenticode certificate embedded in IMAGE_DIRECTORY_ENTRY_SECURITY (offset 0x247800, size 2176 bytes) ^[binwalk.txt:2390173] ^[pefile.txt:213-215]
• Certificate subject: CN=me.muz.li ^[strings.txt:9562]
• No .rsrc section: prior siblings carried rich icon resources; this build strips them entirely ^[pefile.txt]

See golang-stealer-build-pattern for the shared toolchain fingerprint and acrstealer for the cluster overview.

How It Works

ACR Stealer is a Go-based infostealer family. The build pattern is consistent across all six siblings:

1. Static Go binary with CGO_ENABLED=0 and -trimpath=true — no C dependencies, no absolute source paths in binary ^[strings.txt:1672] ^[strings.txt:1674]
2. Randomized module path — each build gets a unique 12–20 character alphanumeric module name, poisoning dependency graphs and hindering clustering ^[strings.txt:1674]
3. Randomized main function names — ~25 functions with names like main.Egezthrbwiru, main.Zwyrouamltknfpa, main.proqmiqdyz, main.jtvblc, main.hujhgmprh, main.hlrwlvxrwwetrw, main.bsxznpyodhxknii, main.darukuqqlanden, main.cvijmrupep, main.fmvbbftuamaggfw, main.nzpylwrhyngyhik, main.dwindrakzixhln ^[strings.txt:5760-8952]
4. Runtime C2 decoding — math/rand and time.Now are linked into the binary ^[strings.txt:539] ^[strings.txt:5632]; family pattern uses PRNG seeded with current time to decode C2 URLs/IPs at launch (observed dynamically in prior siblings)
5. TLS/HTTPS client — crypto/tls, net/http, crypto/x509, net/url are all statically linked ^[strings.txt:1602]
6. Archive support — archive/zip and archive/tar linked, consistent with exfil packaging observed in prior siblings ^[strings.txt:1605]

Decompiled Behavior

Ghidra analysis completed but code indexing was not available at report time; decompiled function-level detail could not be extracted. The entry point at 0x7EFA0 is the Go runtime _rt0_386_windows bootstrap (standard for GOARCH=386 static binaries). The actual stealer logic lives in randomized main.* functions invoked after runtime initialization.

Notable control-flow observations from strings alone:

• Heavy use of syscall package wrappers for Windows APIs (CreateFileW, ReadFile, WriteFile, VirtualAlloc, VirtualQuery, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegEnumKeyExW, RegDeleteKeyW, RegEnumValueW, GetProcAddress, LoadLibraryExW, GetSystemDirectoryA, GetTempPathW, GetTempPath2W, Process32FirstW, Process32NextW, Module32FirstW, Module32NextW, CreateToolhelp32Snapshot, OpenProcess, OpenProcessToken, DuplicateTokenEx, SetThreadContext, GetThreadContext, SuspendThread, ResumeThread, CreateThread, NtQueryInformationFile, NtSetInformationFile, NtCreateFile, NtCreateWaitCompletionPacket, NtAssociateWaitCompletionPacket) ^[strings.txt:1600-1649]
• Network stack: WSAStartup, WSACleanup, WSASocketW, WSARecv, WSASend, WSARecvFrom, WSAIoctl, WSASendTo, WSAGetOverlappedResult, WSADuplicateSocketW, WSAEnumProtocolsW, getsockopt, setsockopt, getpeername, getsockname, gethostbyname, getservbyname, getprotobyname, DnsQuery_W, DnsNameCompare_W, DnsRecordListFree, GetAddrInfoW, FreeAddrInfoW, GetAdaptersInfo, GetAdaptersAddresses, GetIfEntry ^[strings.txt:1603-1637]

C2 Infrastructure

No hardcoded C2 strings visible in static analysis. Family pattern (confirmed in prior siblings) uses PRNG-seeded runtime decoding. OpenCTI labels for this sample include 5-252-155-72, ht-overpassheader-surf, ultahost-gl ^[triage.json] — these map to known ACR Stealer C2 infrastructure (5.252.155.72 / laserlogdnsop.icu / hertzfigblob.icu hoster geography).

No mutex names, named pipes, or registry keys observed statically.

Interesting Tidbits

• Stripped masquerade: All five prior siblings had .rsrc sections with 256×256 PNG icons (fake Adobe, Chrome, Discord, etc.). This build has no resource section at all — the social-engineering layer was removed or the build pipeline failed to embed it. This is the first stripped sibling in the cluster.
• Same certificate chain: CN=me.muz.li / issuer R13, matching siblings 16a4344d, d5655568, 1bfebf79 ^[strings.txt:9562]
• Minimal IAT: Only kernel32.dll imports are present in the PE IAT; everything else is resolved via syscall package or GetProcAddress/LoadLibraryExW at runtime ^[pefile.txt:249-304]
• .symtab section present: 0x1B000 bytes of symbol table data left in the binary — unusual for a "production" stealer build, suggests the builder did not strip with go build -ldflags="-s -w" ^[pefile.txt:178-196]
• No anti-debug / anti-VM strings: No IsDebuggerPresent, CheckRemoteDebuggerPresent, VBox, VMware, qemu, Sandboxie, CWSandbox, JoeBox references in static strings ^[strings.txt] (absence of evidence, not evidence of absence)

How To Mess With It (Homelab Replication)

Goal: Reproduce the static fingerprint of a signed Go infostealer with randomized identifiers.

# 1. Install Go 1.26.2 (or latest stable)
# 2. Create a module with a randomized name
mkdir /tmp/gesiimdPYMojqEh && cd /tmp/gesiimdPYMojqEh
go mod init gesiimdPYMojqEh

# 3. Write a minimal main.go that imports the same library surface:
#    crypto/tls, net/http, crypto/x509, net/url, archive/zip, math/rand, time
# 4. Build with matching flags
go build -trimpath -ldflags="-s -w" -o stealer.exe main.go
# NOTE: this sample does NOT use -s -w (symtab remains), so omit those flags
#       to match the exact fingerprint:
go build -trimpath -o stealer.exe main.go

# 5. Sign with a self-signed or low-reputation CA cert via signtool:
signtool sign /f mycert.pfx /p password /fd sha256 stealer.exe

# 6. Verify fingerprint:
strings stealer.exe | grep -E 'go1\.26|path\t[a-zA-Z0-9]{12,20}|main\.[A-Za-z]{10,20}'
capa stealer.exe   # should hit crypto, networking, data-manipulation capabilities

What you'll learn: How Go -trimpath + randomized module paths + static linking produces a binary that clusters poorly in VT and resists simple string-based family attribution.

Deployable Signatures

YARA Rule

rule ACRStealer_Go1262_Signed_Sibling {
    meta:
        description = "ACR Stealer Go 1.26.2 signed PE32 with randomized module path and main function names"
        author = "PacketPursuit"
        date = "2026-05-29"
        sha256 = "f93d8d79ae62c9864e53e5abf92f5c905c358b6ac397c69418765a303947c1d1"
        family = "acrstealer"
    strings:
        $go_build = "go1.26.2" ascii wide
        $build_id = "Go build ID:" ascii wide
        $mod_path = /path\t[a-zA-Z0-9]{12,20}\t/ ascii
        $main_rand = /main\.[A-Za-z]{10,20}/ ascii
        $me_muz_li = "me.muz.li" ascii wide
        $tls = "crypto/tls" ascii
        $net_http = "net/http" ascii
        $math_rand = "math/rand" ascii
    condition:
        uint16(0) == 0x5A4D and
        $go_build and
        $build_id and
        $mod_path and
        #main_rand >= 10 and
        ($tls or $net_http) and
        $math_rand and
        filesize > 2MB and filesize < 3MB
}

Sigma Rule

title: ACR Stealer Go Binary Execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '.exe'
        CommandLine|contains:
            - 'uRgOy'
    selection_go_heap:
        CommandLine|contains:
            - 'runtime: '
            - 'goroutine '
            - 'panic: '
    selection_libs:
        CommandLine|contains:
            - 'crypto/tls'
            - 'net/http'
            - 'math/rand'
    selection_network:
        Initiated: true
        DestinationIp|contains:
            - '5.252.155.72'
    condition: selection or (selection_go_heap and selection_libs) or selection_network
falsepositives:
    - Legitimate Go applications
level: medium

IOC List

Behavioral Fingerprint Statement

This binary is a statically-linked Go 1.26.2 PE32 with CGO_ENABLED=0 and -trimpath=true. It imports only kernel32.dll via the PE IAT and resolves all other APIs through the Go syscall package at runtime. It links crypto/tls, net/http, math/rand, time, archive/zip, and archive/tar. Upon execution it initializes the Go runtime, seeds a PRNG with the current time, decodes C2 strings in-memory, and initiates HTTPS POST exfiltration. The binary contains ~25 randomized main.* function names and a randomized module path. It may or may not carry a .rsrc icon section (variant-dependent). It is Authenticode-signed with a certificate chaining to CN=me.muz.li / issuer R13.

Detection Signatures (ATT&CK Mapping)

Static-only; no dynamic execution available.

References

• acrstealer — Cluster entity page
• golang-stealer-build-pattern — Shared build pattern
• /intel/analyses/6871848bb724a184e393a734c9de9c17c41da1f26359755696f0df40685c42f2.html — First sibling (module vcCgXjVCTGAvGkl)
• /intel/analyses/c577c6c87bd8a143598000e63d53c8e09b4f7d7a8b8c5de36f7479b5f4411274.html — Second sibling (module PfeYrYvazVUGgZq)
• /intel/analyses/16a4344dcdb51bd043a360dd954bbee9ed5d497dce177e3114740598cc90d78b.html — Third sibling (module hlHtIOAoWQhvCrI)
• /intel/analyses/d5655568fee9c610139d41d367afc74e768e1c8baf70e37912e9ebeb27b5d411.html — Fourth sibling (module JPYhJIzovpOdAaG)
• /intel/analyses/1bfebf79c24d0813eb39fec74637d52b008188812631a4f666a59fae7c0cef2c.html — Fifth sibling (module rDRsLkGEEednpRk)
• OpenCTI artifact: e96bcbe1-bc1a-4174-a716-8ff06b1c067a

Provenance

• file.txt — file command output (PE32)
• pefile.txt — pefile DOS/NT headers, sections, imports, relocations (Python pefile 2024.8.26)
• strings.txt — strings -n 6 raw ASCII/Unicode strings
• rabin2-info.txt — rabin2 -I header summary (radare2 5.9.4)
• binwalk.txt — binwalk -E embedded artifact scan (binwalk 2.3.4)
• exiftool.json — ExifTool 12.76 PE metadata
• triage.json — triage-fast schema v1 output
• dynamic-analysis.md — CAPE skipped (no Windows guest)
• floss.txt — floss failed (argument error)
• capa.txt — capa failed (missing signatures)
• metadata.json — OpenCTI source metadata
• Certificate extracted manually from IMAGE_DIRECTORY_ENTRY_SECURITY via pefile + openssl inspection