> Analysis · 6b33d2019626_

~/packetpursuit $ cat /intel/analyses/6b33d2019626.../report.md

typeanalysisfamilyremotepeconfidencemediumpemalware-familyratc2-protocolpersistencedefense-evasionc2exfiltration
SHA-256: 6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d

remotepe: 6b33d201 — Oct 2023 sibling with SystemFunction001 export

Executive Summary

A 553 KB PE32+ x64 DLL compiled Oct 2023, attributed (medium confidence) to Lazarus Group via MalwareBazaar remotepe label. It is a near-identical sibling to the RemotePE cluster documented at remotepe — the only salient delta is the presence of a named export (SystemFunction001) and an earlier compilation date. Otherwise shares the full plugin-based RAT architecture, Azure telemetry cookie masquerade, BCrypt-secured HTTP C2, and token-theft lateral movement. See remotepe for cluster-wide build-stack and TTP deep-dive.

What It Is

  • File: remotepe_2023-10-17_6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d.bin ^[triage.json:5]
  • Type: PE32+ executable (DLL) (GUI) x86-64, 6 sections ^[file.txt]
  • Size: 553 030 bytes ^[triage.json:14]
  • Compiler: MSVC 14.35 (LinkerVersion 14.35), compiled Tue Oct 17 02:48:59 2023 UTC ^[pefile.txt:34] ^[exiftool.json:15]
  • Base: 0x180000000 ^[rabin2-info.txt:2]
  • Export: one named export, SystemFunction001 at ordinal 1, RVA 0x20FD0 ^[pefile.txt:264]
  • CFG: Full Control-Flow Guard and GuardXFG enabled ^[pefile.txt:534-588]
  • Signing: Unsigned ^[rabin2-info.txt:27]
  • PDB: None. POGO + ILTCG debug directories present ^[pefile.txt:592-614]
  • Attribution: OpenCTI labels [lazarus, remotepe, malware-bazaar] ^[metadata.json]

How It Works

This sample behaves as described on the remotepe cluster page. Briefly:

  • On DLL_PROCESS_ATTACH, the CRT entry path spawns a worker thread that instantiates plugin objects (IConfigProfile, IKernelModule, IConsole, IFileExplorer, IProcess, ITimer, IChannelController, IPing, IMiddleController) and enters a C2 dispatch loop. ^[strings.txt:1572-1580]
  • HTTP C2 is carried over WININET.dll with fake Azure Application Insights telemetry cookies (MicrosoftApplicationsTelemetryDeviceId, armAuthorization, odata.metadata, ai_session) and JSON Content-Type. ^[strings.txt:1068-1087]
  • Communications are encrypted via bcrypt.dll (AES, SHA-2, PBKDF2). ^[pefile.txt:511-524]
  • Archives are manipulated through libzippp and Cabinet.dll for staging or exfil. ^[strings.txt:1558] ^[pefile.txt:290-292]
  • Lateral movement is enabled by DuplicateTokenEx + CreateProcessAsUserW plus WTSQueryUserToken. ^[pefile.txt:465-476] ^[pefile.txt:314-315]
  • Native API names (NtCreateUserProcess, RtlCreateProcessParametersEx, NtQuerySystemInformation, NtCreateFile, etc.) appear as strings but are absent from the IAT, indicating dynamic resolution. ^[strings.txt:1190-1196]

Per-sample delta: unlike the May 2024 (710f1530) and Apr 2024 (62e040a3) siblings, this Oct 2023 build exposes a single export named SystemFunction001. The name is a known Lazarus export naming convention (reused across multiple families). Its presence makes this sample detectable via export-table signatures that the later stripped siblings evade.

C2 Infrastructure

  • No hardcoded URI or IP in static strings. C2 endpoint is runtime-resolved (likely via IConfigProfile). ^[strings.txt]
  • Masquerade headers are present in plaintext and serve as behavioural indicators. ^[strings.txt:1068-1087]

Interesting Tidbits

  1. SystemFunction001 export — a rare named surface in an otherwise export-stripped family. This is the same name observed in older Lazarus implants. ^[pefile.txt:264]
  2. Telemetry cosplay unchanged — the exact same cookie format string (%s=cid=%s-c1=2-c2=2-c3=2; ...) appears here and in the 2024 siblings, confirming a shared builder/framework. ^[strings.txt:1087]
  3. POGO/ILTCG present on an Oct 2023 build just as on the 2024 builds, indicating the developer has been using Profile-Guided Optimization consistently across at least six months. ^[pefile.txt:592-614]
  4. No packing or obfuscation beyond CFG — the binary is a plain DLL with full MSVC RTTI, making it easy to recognise but also easy to reverse. ^[rabin2-info.txt:23]

Deployable Signatures

YARA (export-focused variant)

rule remotepe_systemfunction001_export {
    meta:
        description = "RemotePE Lazarus backdoor with SystemFunction001 export"
        author = "pp-hermes"
        date = "2026-06-05"
        sha256 = "6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d"
    strings:
        $a1 = ".?AVIController@@" ascii
        $a2 = ".?AVIConsole@@" ascii
        $a3 = ".?AVIFileExplorer@@" ascii
        $a4 = ".?AVIProcess@@" ascii
        $a5 = ".?AVIChannelController@@" ascii
        $a6 = ".?AVIPing@@" ascii
        $a7 = ".?AVIMiddleController@@" ascii
        $b1 = "MicrosoftApplicationsTelemetryDeviceId" ascii
        $b2 = "armAuthorization" ascii
        $b3 = "odata.metadata" ascii
    condition:
        uint16(0) == 0x5A4D and
        pe.exports("SystemFunction001") and
        4 of ($a*) and
        2 of ($b*)
}

IOC List

Type Value Source
SHA-256 6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d metadata
Export Name SystemFunction001 (ordinal 1) pefile.txt:264
Compile Time 2023-10-17 02:48:59 UTC pefile.txt:34
RTTI Classes IController, IConfigProfile, IKernelModule, IConsole, IFileExplorer, IProcess, ITimer, IChannelController, IPing, IMiddleController strings.txt:1572-1580
Masquerade Strings MicrosoftApplicationsTelemetryDeviceId, odata.metadata, armAuthorization, ai_session strings.txt:1068-1087
Cookie Format %s=cid=%s-c1=2-c2=2-c3=2; %s=%s; %s=GUID=... strings.txt:1087

Behavioral Fingerprint

A PE32+ x64 DLL with a single export named SystemFunction001 loads into a host process, spawns a background thread, and initializes a controller plugin hierarchy. Within seconds it opens a WININET session, constructs HTTP headers impersonating Azure Application Insights telemetry (including JSON Content-Type and fake session/device cookies), and exchanges framed JSON data with a remote server. It can spawn child processes under stolen interactive-user tokens via DuplicateTokenEx and CreateProcessAsUserW, and manipulates ZIP/Cabinet archives for payload staging.

Detection Signatures

All ATT&CK mappings are identical to the RemotePE cluster documented at remotepe. Representative mappings:

  • T1071.001 — HTTP C2 beaconing ^[pefile.txt:258-267]
  • T1134 — Access Token Manipulation ^[pefile.txt:465-476]
  • T1078 — Valid Accounts (token theft) ^[pefile.txt:314-315]
  • T1036.005 — Match Legitimate Name or Location (telemetry masquerade) ^[strings.txt:1068-1087]
  • T1001.003 — Data Obfuscation: Protocol Impersonation ^[strings.txt:1068-1087]
  • T1560 — Archive Collected Data ^[pefile.txt:290-292] ^[strings.txt:1558]
  • T1543 — Create or Modify System Process (NtCreateUserProcess) ^[strings.txt:1196]

References

  • OpenCTI artifact: aa278c09-e12a-4d36-b47b-12e796a7e68d ^[metadata.json]
  • MalwareBazaar label: lazarus / remotepe ^[triage.json]
  • Related wiki pages: remotepe, lazarus

Provenance

Analysis conducted on pp-hermes using static artefacts (file, exiftool, pefile, strings, rabin2, yara, binwalk) and radare2 decompilation. No CAPE detonation available. Capa and floss failed due to missing signatures / argument parsing errors in the triage environment.