Statically linked in Linux, in Windows the Go runtime and packages are statically linked into the binary, but the binary itself is dynamically linked to kernel32.dll because issuing syscalls directly is not supported.

Why was kernel32.dll rebased when Go doesn't force the rebase is a very good question indeed. I suspect a 3rd party user mode hook, it doesn't even have to be malware, there are legit "security" and monitoring applications that use this technique.

ASLR I would guess.

ASLR support needs to be stamped in the PE header. You can enable it globally, but the randomization space is smaller than it should matter for this.

It's definitely something to investigate though.