menomoushop

Overview

Windows infostealer family delivered as a Go-compiled PE64 binary. First observed in the local corpus via MalwareBazaar with OpenCTI tags menomou-shop, remusstealer, and sunwukong. Signed with Authenticode DV certificates (observed: Go Daddy CA G2, leaf CN maybe.us). No CAPE detonation results yet; all characterization is static.

Build Stack

• Language: Go 1.25.4^[/intel/analyses/3aca18df0426522e0c301a55dae3d892b2009719854207b4bae45f4c94403c9f.html]
• Arch: PE32+ x86-64, Windows GUI subsystem
• Linker flags: -H=windowsgui (no console window)
• Stripping: .symtab retained (unstripped) — rare for production malware; gives full function and type recovery
• Signing: Authenticode PKCS#7 embedded in IMAGE_DIRECTORY_ENTRY_SECURITY
• Obfuscation: main package function names randomized (8–16 character alphanumeric). No control-flow flattening or string encryption observed statically.
• Crypto primitives: AES (S-Box in .rdata), SHA256, HMAC-SHA2-256, ChaCha20 random (Go FIPS 140-3 module) — all standard library.

Capabilities

• go-pe64-authenticode-signed
• tls-encrypted-c2-inferred
• aes-runtime-crypto
• function-name-randomization
• runtime-jitter-delay (math/rand.Intn loops observed)
• credential-exfiltration-inferred
• unstripped-symbol-table

Deploy / TTPs

Variants / Aliases

• menomou-shop — MalwareBazaar / OpenCTI label
• remusstealer — co-labeled on multiple siblings in corpus
• sunwukong — filename-themed label (sunwukongs.exe observed)

Notable Analyses

• /intel/analyses/3aca18df0426522e0c301a55dae3d892b2009719854207b4bae45f4c94403c9f.html — 3aca18df, Go 1.25.4, signed CN maybe.us, static-only

Related

• golang-stealer-build-pattern — shared Go infostealer build artefacts
• remusstealer — sibling label cluster (no dedicated entity page yet)