> Family · OrderReshop Stealer_

~/packetpursuit $ cat /intel/families/orderreshop.md

typeentityconfidencemediumcreated2026-05-28updated2026-05-28infostealermalware-familygolangpe-overlay-parserprng-seeded-string-decode

OrderReshop Stealer

Go-based PE64 info-stealer family sharing the golang-stealer-build-pattern with sibling acrstealer but distinguished by a custom in-memory PE parser and multi-pass byte-transformation string decoder. First encountered in the PacketPursuit corpus on 2026-05-28.

Build Stack

  • Compiler: Go >= 1.23 (inferred from iter/iter.go package, which debuted in Go 1.23; runtime strings consistent with 1.26.2 godebug.setting and runtime.coro) ^[/intel/analyses/6f6f052595b109f4e8fdf42644b98f6380635f3f45f280cf85aacf6e30e30d2e.html]
  • Linker flags: CGO_ENABLED=0, -trimpath=true implied by stripped paths and static linking
  • Obfuscation: Randomized 15-character alpha module path (e.g., pOWbqmsqqaxxzqH); randomized main function names
  • Packing: None external (.text entropy ~6.27, .rdata ~6.22)
  • Signing: Security directory present but certificate could not be parsed from static inspection alone; treat as unsigned/unverified
  • Resources: .rsrc section contains a standard icon group for social-engineering masquerade

Deploy / TTPs

  • Execution: At start-up, decodes runtime strings (likely including C2 URL) via a multi-pass byte-transformation routine seeded with a runtime key
  • Discovery: Custom PE parser (main.tnlzbjjyqfzrdbk) maps its own IMAGE_SECTION_HEADER array in memory—possibly used to locate embedded payload sections or to find offsets for in-memory patching
  • Collection: Targets local data; specifics inferred from family classification and stdlib linkage (net/http, crypto/tls, crypto/x509)
  • Exfiltration: POSTs collected data to an HTTPS C2 endpoint decoded at runtime
  • Defense Evasion: Zero hardcoded C2 strings in static image; all network indicators decoded on the fly

Capabilities

  • runtime-decoded-https-c2
  • custom-pe-section-parser
  • prng-seeded-string-decode
  • go-static-binary-no-cgo
  • resource-icon-social-engineering
  • in-memory-section-mapping

Variants / Aliases

  • Preliminary triage label: orderreshop
  • Sibling family: acrstealer

Notable Analyses

  • /intel/analyses/6f6f052595b109f4e8fdf42644b98f6380635f3f45f280cf85aacf6e30e30d2e.html — PE64 GUI, module pOWbqmsqqaxxzqH, custom PE parser + multi-pass decoder

Related