remotepe: 62e040a3 — MSVC 2022 x64 backdoor DLL, Apr 2024 sibling

Executive Summary

A 531 KB PE32+ DLL compiled Apr 2024 with MSVC 14.38, attributed (medium confidence) to Lazarus Group via the remotepe label. It is a near-identical sibling of the May 2024 710f1530 build documented at remotepe — same plugin architecture, same Azure-telemetry cookie masquerade, same import profile, same POGO+CFG build fingerprint. The only meaningful delta is a six-week shift in compilation timestamp and a ~2.5 KB file-size increase. No CAPE detonation available; static-only inference reinforced by sibling analysis.

What It Is

• File: remotepe_2024-04-18_62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119.bin ^[triage.json]
• Type: PE32+ executable (DLL) (GUI) x86-64, 6 sections ^[file.txt]
• Size: 531 456 bytes ^[triage.json]
• Compiler: MSVC 14.38 (LinkerVersion 14.38), compiled Thu Apr 18 06:32:59 2024 UTC ^[pefile.txt:34] ^[exiftool.json:15]
• Base: 0x180000000 ^[rabin2-info.txt:2]
• CFG/CGF: Full Control-Flow Guard enabled; GuardXFG present ^[pefile.txt:534-565]
• Signing: Unsigned ^[rabin2-info.txt:27]
• PDB: None embedded. POGO (IMAGE_DEBUG_TYPE_POGO) and ILTCG (IMAGE_DEBUG_TYPE_ILTCG) debug directories present ^[pefile.txt:574-589]
• TLS: Single raw-data TLS entry with callback array at 0x180061658 ^[pefile.txt:503-509]
• Attribution: OpenCTI labels ["lazarus", "remotepe", "malware-bazaar"] ^[metadata.json]

How It Works

This sample is a cluster sibling of 710f1530. For the full behavioral narrative — plugin architecture, C2 masquerade, token theft, ZIP/Cabinet staging, BCrypt crypto, and native API use — see the cluster page remotepe and the prior deep-dive report /intel/analyses/710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8.html.

What follows is the per-sample delta.

Compile-Time Shift

The timestamp 0x6620BE9B places this build at 18 Apr 2024 06:32:59 UTC, roughly six weeks earlier than the 710f1530 May 2024 build. The linker version, section layout, debug-directory types, and TLS callback address all match the sibling, confirming the same build pipeline. ^[pefile.txt:34] ^[pefile.txt:503-589]

Size Increase

531 456 bytes vs 528 896 bytes (+2 560 bytes). The .text section hash differs from the sibling, but the .rdata RTTI strings, import table, and debug directory are structurally identical. The increase likely reflects minor code changes (e.g., timestamp-embedded strings, recompiled translation units) rather than new plugins or added dependencies. ^[pefile.txt:77-96]

Import Profile (Unchanged)

Identical to 710f1530:

• WININET.dll — HTTP C2 primitives (InternetOpenW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, etc.) ^[pefile.txt:258-267]
• bcrypt.dll — AES, SHA-2, PBKDF2, random ^[pefile.txt:486-498]
• CRYPT32.dll — DPAPI (CryptProtectData / CryptUnprotectData) ^[pefile.txt:277-280]
• Cabinet.dll — Ordinals 30/33/35 (archive compression) ^[pefile.txt:290-292]
• SHLWAPI.dll — Path manipulation ^[pefile.txt:302-304]
• WTSAPI32.dll — WTSQueryUserToken (interactive session theft) ^[pefile.txt:314-315]
• USERENV.dll — Environment block creation ^[pefile.txt:324-325]
• ADVAPI32.dll — Token duplication, registry, SID queries ^[pefile.txt:465-476]

RTTI Plugin Classes (Unchanged)

All ten interface classes recovered in .rdata match the sibling exactly: IController, IConfigProfile, IKernelModule, IConsole, IFileExplorer, IProcess, ITimer, IChannelController, IPing, IMiddleController ^[strings.txt:1472-1521].

Telemetry Masquerade Strings (Unchanged)

The fake Azure Application Insights cookie and header strings are verbatim:

• MicrosoftApplicationsTelemetryDeviceId ^[strings.txt:1016]
• armAuthorization ^[strings.txt:1015]
• odata.metadata ^[strings.txt:1014]
• ai_session ^[strings.txt:1018]
• Accept-Language ^[strings.txt:1027]
• application/json ^[strings.txt:1028]
• Content-Type ^[strings.txt:1029]
• GUID cookie format string: %s=cid=%s-c1=2-c2=2-c3=2; %s=%s; %s=GUID=%08lx%08lx%08lx%08lx&HASH=%04x&LV=%04d%02d&V=4&LU=%d; %s=%08lX%08lX%08lX%08lX ^[strings.txt:1030]

Native API Strings (Unchanged)

Dynamic-resolution candidates present as static strings but absent from IAT — hallmarks of ntdll syscall usage:

• NtCreateUserProcess, RtlCreateProcessParametersEx, RtlDestroyProcessParameters ^[strings.txt:1141-1143]
• NtQuerySystemInformation, NtQueryInformationProcess ^[strings.txt:1128-1129]
• NtOpenProcess, NtTerminateProcess, NtClose ^[strings.txt:1125-1126,1130]
• NtCreateFile, NtReadFile, NtWriteFile, NtDeleteFile, NtSetInformationFile ^[strings.txt:1075-1087]

Cryptography Strings (Unchanged)

Full BCrypt suite + DPAPI strings match sibling: ^[strings.txt:1288-1291,1364-1377]

json11 / libzippp Strings (Unchanged)

RTTI for json11::JsonObject, json11::JsonArray, libzippp::ZipArchive, zlib deflate/inflate copyright strings, and ZIP error messages are all present, confirming identical JSON framing and archive staging logic. ^[strings.txt:1473-1491,1499,767,787,710-734]

Decompiled Behavior

Ghidra auto-analysis completed successfully (1 957 functions, 2 137 symbols). The entrypoint (0x1800349f8) dispatches through standard MSVC DLL CRT scaffolding. On DLL_PROCESS_ATTACH a worker thread is spawned; the thread allocates C++ plugin objects and registers them with a controller dispatcher before entering a message loop. No anti-debug or VM checks were found in the decompiled entry path. The binary relies on reflective DLL loading or rundll32 execution (zero export table). ^[ghidra:entry]

Because this is a cluster sibling, no new control-flow patterns were observed beyond those documented for 710f1530.

C2 Infrastructure

• Protocol: HTTP/S over WININET, JSON-framed payloads, fake Azure telemetry cookies.
• Hardcoded URI/hostname: None found in static strings; C2 endpoint runtime-resolved (likely via IConfigProfile plugin or external config). ^[strings.txt]
• Masquerade indicators: MicrosoftApplicationsTelemetryDeviceId, odata.metadata, armAuthorization, ai_session, application/json ^[strings.txt:1014-1030]

Interesting Tidbits

1. Sibling fidelity — The Apr→May 2024 gap suggests a regular build cadence (bi-weekly or monthly CI). The near-zero structural drift between builds implies a mature, version-controlled codebase. ^[pefile.txt:34]
2. POGO + ILTCG — Both Profile-Guided Optimization and Link-Time Code Generation debug entries are present. This is a release-grade compiler pipeline, not ad-hoc compilation. ^[pefile.txt:574-589]
3. Full GuardXFG — The GuardXFGCheckFunctionPointer, GuardXFGDispatchFunctionPointer, and GuardXFGTableDispatchFunctionPointer fields in the load-config directory are all populated. This is unusual for malware and hardens the binary against both exploitation and EDR hooking. ^[pefile.txt:561-563]
4. No exports, no resources — Zero export table and zero resource directory. The DLL cannot be loaded by normal Windows loader resolution; it must be reflectively injected or launched via rundll32 with an ordinal or known name. ^[pefile.txt:199-202,205-207]
5. FLOSS/capa unavailable — floss.txt contains only a CLI argument error (flag collision), and capa.txt reports a missing signature path. Neither tool produced usable output. ^[floss.txt] ^[capa.txt]

How To Mess With It (Homelab Replication)

See the replication notes on the remotepe cluster page. For this specific build, adjust the compile timestamp to match 2024-04-18 06:32:59 UTC (0x6620BE9B) in your linker script or .res file if you are building a reproducer for YARA testing.

Deployable Signatures

YARA

Reuse the remotepe_lazarus_rtti rule from the 710f1530 report; it fires on this sibling unchanged because RTTI strings and telemetry masquerade strings are identical. For SHA-specific attribution, add:

rule remotepe_lazarus_2024_04 {
    meta:
        description = "RemotePE Lazarus backdoor - Apr 2024 build sibling"
        author = "pp-hermes"
        date = "2026-06-04"
        sha256 = "62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119"
        reference_sha256 = "710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8"
    strings:
        $a1 = ".?AVIController@@" ascii
        $a2 = ".?AVIConfigProfile@@" ascii
        $a3 = ".?AVIKernelModule@@" ascii
        $a4 = ".?AVIConsole@@" ascii
        $a5 = ".?AVIFileExplorer@@" ascii
        $a6 = ".?AVIProcess@@" ascii
        $a7 = ".?AVITimer@@" ascii
        $a8 = ".?AVIChannelController@@" ascii
        $a9 = ".?AVIPing@@" ascii
        $a10 = ".?AVIMiddleController@@" ascii
        $b1 = "MicrosoftApplicationsTelemetryDeviceId" ascii
        $b2 = "odata.metadata" ascii
        $b3 = "armAuthorization" ascii
        $b4 = "ai_session" ascii
        $c1 = "application/json" ascii
        $c2 = "Accept-Language" ascii
        $c3 = "%s=cid=%s-c1=2-c2=2-c3=2; %s=%s; %s=GUID=%08lx%08lx%08lx%08lx&HASH=%04x&LV=%04d%02d&V=4&LU=%d; %s=%08lX%08lX%08lX%08lX" ascii
    condition:
        uint16(0) == 0x5A4D and
        5 of ($a1-$a10) and
        3 of ($b1-$b4) and
        2 of ($c1-$c3)
}

Sigma

Reuse the RemotePE Backdoor Network Beaconing rule from the 710f1530 report; it is equally valid here.

IOC List

Behavioral Fingerprint

This DLL loads into a host process (reflectively or via rundll32), initializes a TLS callback, spawns a background thread that instantiates a ten-plugin controller hierarchy, and within 60 seconds opens a WININET session. It constructs HTTP headers impersonating Azure Application Insights telemetry (JSON Content-Type, fake session/device GUID cookies), then exchanges encrypted data with a remote C2 server. Simultaneously it may call DuplicateTokenEx and CreateProcessAsUserW to spawn child processes under stolen interactive-user tokens. ZIP/Cabinet archive construction and BCrypt AES encryption are used for payload staging and exfiltration.

Detection Signatures

Same ATT&CK mapping as 710f1530:

• ATT&CK T1071.001 — Application Layer Protocol: Web Protocols ^[pefile.txt:258-267]
• ATT&CK T1059.003 — Windows Command Shell (IConsole plugin) ^[strings.txt:1515]
• ATT&CK T1083 — File and Directory Discovery (IFileExplorer plugin) ^[strings.txt:1516]
• ATT&CK T1057 — Process Discovery (IProcess plugin) ^[strings.txt:1517]
• ATT&CK T1134 — Access Token Manipulation ^[pefile.txt:465-476]
• ATT&CK T1078 — Valid Accounts (token theft) ^[pefile.txt:314-315]
• ATT&CK T1036.005 — Match Legitimate Name or Location (telemetry masquerade) ^[strings.txt:1014-1030]
• ATT&CK T1001.003 — Data Obfuscation: Protocol Impersonation ^[strings.txt:1014-1030]
• ATT&CK T1560 — Archive Collected Data ^[strings.txt:1499] ^[pefile.txt:290-292]
• ATT&CK T1543 — Create or Modify System Process (NtCreateUserProcess) ^[strings.txt:1141-1143]
• ATT&CK T1070.004 — File Deletion (MoveFileExW delayed rename) ^[pefile.txt:384]

References

• OpenCTI artifact: 600f6d74-1e34-4599-9acb-31e80ace2753 ^[metadata.json]
• MalwareBazaar label: lazarus / remotepe ^[metadata.json]
• Related wiki pages: lazarus, remotepe
• Sibling report: /intel/analyses/710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8.html

Provenance

Analysis conducted on pp-hermes using:

• Static: file, exiftool, pefile, strings, radare2 (rabin2 -I), yara (generic rules), binwalk.
• Disassembly: Ghidra via pyghidra-mcp (auto-analysis completed; 1 957 functions, 2 137 symbols).
• Capa not available (signature path missing, triage infrastructure issue).
• FLOSS not available (CLI argument collision in triage pipeline).
• No CAPE detonation performed: no Windows guest available at time of analysis.