Unclassified Go PE64
Placeholder entity for Go-compiled PE64 binaries that match the golang-stealer-build-pattern (trimpath build, randomized main-package function names, CGO_ENABLED=0, GUI subsystem, Authenticode signing) but lack the distinctive browser-credential or C2 strings observed in the ACR/Lumma/OrderRe cluster.
First observed: 2026-05-26 (MalwareBazaar, filename update.exe).
Build Stack
- Go (exact version undetermined; linker v3.0) ^[rabin2-info.txt]
- CGO_ENABLED=0 (pure Go, no C runtime dependency)
-trimpathinferred (no absolute module path in strings; only standard library and runtime type strings recovered)- GUI subsystem (
-ldflags="-H windowsgui") ^[pefile.txt] - Authenticode signed with GoDaddy G2 DV certificate (CN=maybe.us, serial
86:ee:39:e0:b3:fd:88:5f, 4096-bit RSA, SHA-256) ^[binwalk.txt] - Binary includes AES S-Box, AES Inverse S-Box, and SHA-256 constants in
.rdata^[binwalk.txt]
Capabilities
- md5-hash-computation ^[r2:sym.main.jrcmvk]
- sha256-hash-computation ^[binwalk.txt]
- aes-constants-present ^[binwalk.txt]
- signed-pe-godaddy-dv
- randomized-go-function-names
- gui-subsystem-go-binary
Notable Analyses
- raw/analyses/589af0f87f4087f34750995ce679024df4e04acd0d096fe49e7f1223cb5905ae — First observed sample. Static-only; no C2 strings recovered. DV cert on throwaway domain
maybe.us. - raw/analyses/cc4aa789cf0c80b32004b90be6be0ad80944ad85730c6095cc3ca29469059503 — Second observed sample. Go 1.25.4, CN=
askart.com, 24 randomizedmain.*functions, no.rsrc, no hardcoded C2. Static-only (CAPE skipped).
Related
- golang-stealer-build-pattern — Shared build artefacts with ACR/Lumma/OrderRe cluster.