> Analysis · 710f15302859_

~/packetpursuit $ cat /intel/analyses/710f15302859.../report.md

typeanalysisfamilyremotepeconfidencemediumpemalware-familyratc2-protocolpersistencedefense-evasionc2exfiltration
SHA-256: 710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8

remotepe: 710f1530 — MSVC 2022 x64 backdoor DLL, Azure-telemetry cookie masquerade, plugin-based RAT

Executive Summary

A 529 KB PE32+ DLL compiled May 2024 with MSVC 14.38, attributed (medium confidence) to Lazarus Group via the remotepe label from MalwareBazaar/OpenCTI. It presents a modular, plugin-driven remote-access backdoor with HTTP C2, ZIP payload staging, BCrypt-protected comms, and token-theft lateral movement. Its most distinctive anti-forensics trait is the construction of fake Microsoft Application Insights telemetry cookies to blend C2 traffic into benign Azure telemetry shapes. No packing; control-flow guard enabled. No CAPE detonation available (static-only inference supplemented by Ghidra decompilation).

What It Is

  • File: remotepe_2024-05-11_710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8.bin ^[exiftool.json]
  • Type: PE32+ executable (DLL) (GUI) x86-64, 6 sections ^[file.txt]
  • Size: 528 896 bytes
  • Compiler: MSVC 14.38 (LinkerVersion 14.38), compiled Sat May 11 00:20:54 2024 UTC ^[pefile.txt:34] ^[exiftool.json:18]
  • Base: 0x180000000 ^[rabin2-info.txt:2]
  • CFG/CGF: Full Control-Flow Guard enabled (GuardCF flags set, GuardXFG present) ^[pefile.txt:534-563]
  • Signing: Unsigned ^[rabin2-info.txt:27]
  • PDB: None embedded. POGO debug directory present (IMAGE_DEBUG_TYPE_POGO) ^[pefile.txt:575]
  • TLS: Single raw-data TLS entry with callback array at 0x180060658 ^[pefile.txt:503-509]
  • Attribution: OpenCTI labels ["lazarus", "remotepe", "malware-bazaar"] ^[metadata.json]

How It Works

Entry and Threading

Entrypoint at 0x1800347f8 is standard entry for a MSVC DLL: validates the cookie, then dispatches to dllmain_dispatch. On DLL_PROCESS_ATTACH, a worker thread is spawned via CreateThread whose start address is FUN_1800202c0 ^[ghidra:entry] ^[ghidra:FUN_180020240]. That thread instantiates a family of C++ objects and registers them with what appears to be a central dispatcher (local_120) before calling FUN_180001ac0, likely an execution loop ^[ghidra:FUN_1800202c0].

Plugin Architecture

RTTI strings recovered from .rdata expose a modular controller pattern built around an IController interface ^[strings.txt:1471]. Concrete plugins include:

  • IConfigProfile ^[strings.txt:1512]
  • IKernelModule ^[strings.txt:1513]
  • IConsole ^[strings.txt:1514]
  • IFileExplorer ^[strings.txt:1515]
  • IProcess ^[strings.txt:1516]
  • ITimer ^[strings.txt:1517]
  • IChannelController ^[strings.txt:1518]
  • IPing ^[strings.txt:1519]
  • IMiddleController ^[strings.txt:1520]

The presence of IPing and IChannelController alongside IProcess and IFileExplorer indicates a full-featured RAT rather than a simple downloader. IMiddleController likely acts as a relay/proxy plugin for tunneling.

ZIP Payload Staging

libzippp::ZipArchive appears in RTTI ^[strings.txt:1498], and Cabinet.dll ordinals 30/33/35 (imported by ordinal) are present ^[pefile.txt:290-292]. The combination of libzippp and Microsoft Cabinet APIs suggests the sample can construct, compress, or decompress archives for payload delivery or exfiltration.

Network / C2 Masquerade

HTTP primitives are imported from WININET.dll: InternetOpenW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, HttpQueryInfoW, InternetReadFile, InternetSetOptionW, InternetCrackUrlW, HttpAddRequestHeadersA ^[pefile.txt:258-267].

Static strings reveal the C2 is wrapped in fake Azure Application Insights telemetry headers:

  • MicrosoftApplicationsTelemetryDeviceId ^[strings.txt:1015]
  • armAuthorization ^[strings.txt:1014]
  • odata.metadata ^[strings.txt:1013]
  • ai_session ^[strings.txt:1017]
  • Content-Type: application/json ^[strings.txt:1027-1028]
  • Accept-Language: en-US,en;q=0.9 ^[strings.txt:1025-1026]

A GUID-format cookie string is also present: %s=cid=%s-c1=2-c2=2-c3=2; %s=%s; %s=GUID=%08lx%08lx%08lx%08lx&HASH=%04x&LV=%04d%02d&V=4&LU=%d; %s=%08lX%08lX%08lX%08lX ^[strings.txt:1029].

This mimics the ai_session / ai_device cookies emitted by legitimate Azure SDKs, making the traffic look like benign telemetry beacons.

Authentication / Token Abuse

ADVAPI32 imports include OpenProcessToken, DuplicateTokenEx, CreateProcessAsUserW, GetTokenInformation, LookupAccountSidW, GetSidSubAuthority / Count ^[pefile.txt:465-476]. Combined with WTSQueryUserToken from WTSAPI32.dll ^[pefile.txt:314-315], the sample can steal interactive session tokens and spawn processes under the context of another logged-on user. This enables both privilege escalation and lateral movement.

Native API Use (Static-Inferred)

Several ntdll function names appear as strings but are not in the IAT, indicating dynamic resolution or manual syscall usage:

  • NtCreateUserProcess, RtlCreateProcessParametersEx, RtlDestroyProcessParameters ^[strings.txt:1140-1143]
  • NtQuerySystemInformation ^[strings.txt:1127]
  • NtQueryInformationProcess ^[strings.txt:1128]
  • NtOpenProcess, NtTerminateProcess, NtClose ^[strings.txt:1124-1126,1130]
  • NtCreateFile, NtReadFile, NtWriteFile, NtDeleteFile, NtSetInformationFile ^[strings.txt:1073-1086]

These are hallmarks of Lazarus tooling that bypasses user-mode hooks by calling directly into the kernel.

Cryptography

bcrypt.dll provides AES-GCM (or CBC) symmetric encryption, SHA-2 hashing, PBKDF2 key derivation, and randomness via BCryptGenRandom ^[pefile.txt:486-498]. CryptProtectData / CryptUnprotectData from CRYPT32.dll suggests DPAPI abuse for local secret storage ^[pefile.txt:277-280].

Decompiled Behavior

Ghidra analysis confirms the binary is a plain MSVC DLL with no packer. The dllmain_dispatch function (0x1800346c4) is standard VS2019+ CRT scaffolding. On attach it reaches FUN_180020240, which spawns a thread at FUN_1800202c0. That function heap-allocates ~10 C++ objects via operator_new, zero-inits them, then registers each with a controller list before entering a dispatch loop ^[ghidra:FUN_1800202c0]. No obvious anti-debug or VM checks were found in the decompiled entry path; the sample relies on living in a DLL loaded by a legitimate host process for camouflage.

C2 Infrastructure

  • Protocol: HTTP/S over WININET, JSON-framed payloads, fake Azure telemetry cookie headers.
  • URL/path strings: None hardcoded in static strings; C2 endpoint likely decrypted or fetched from a config resource at runtime.
  • Indicators of masquerade: MicrosoftApplicationsTelemetryDeviceId, armAuthorization, odata.metadata, ai_session ^[strings.txt:1013-1022]

Because the actual URI/hostname is absent from static strings, C2 is either:

  1. Encrypted in .data and decrypted at runtime by the IConfigProfile plugin, or
  2. Fetched from an external config file dropped by an earlier stage.

Interesting Tidbits

  1. Telemetry cosplay — The repeated injection of MicrosoftApplicationsTelemetryDeviceId, ai_session, odata.metadata, and the GUID cookie format is a deliberate anti-forensics choice; it turns the backdoor beacon into what looks like an Azure SDK telemetry POST. ^[strings.txt:1013-1055]
  2. POGO build — The presence of IMAGE_DEBUG_TYPE_POGO indicates Profile-Guided Optimization was used during the MSVC build, a hallmark of disciplined, production-grade toolchains rather than crimeware kludges. ^[pefile.txt:575]
  3. No exports — Zero export table. The DLL must be loaded reflectively or via rundll32 with a known ordinal/name. ^[pefile.txt:199-202]
  4. Full CFG/XFG — GuardCF and GuardXFG are both enabled, making inline hooking and return-oriented programming harder. This is unusual for commodity malware and points to a resourced development team. ^[pefile.txt:534-563]
  5. TLS callback array — A single TLS callback entry exists. Standard for VS CRT TLS initializers, not overtly malicious, but useful for fingerprinting. ^[pefile.txt:503-509]

How To Mess With It (Homelab Replication)

  1. Toolchain: Visual Studio 2022 (v17.x) with MSVC 14.38, target x64, /guard:cf enabled.
  2. Framework: C++20/17, static MSVCRT linking. Build a DLL with no exports.
  3. Components to replicate:
    • Static-link or vendor json11 for JSON parsing.
    • Static-link libzippp/zlib for archive manipulation.
    • Use WININET APIs for HTTP C2.
    • Use bcrypt.dll for AES+SHA-2+PBKDF2.
    • Add CreateProcessAsUserW + DuplicateTokenEx for token theft.
    • Inject Azure telemetry header strings to match the masquerade pattern.
  4. Verification: Compile a minimal DLL with the same import profile and compare pefile.txt import table to this sample. The YARA rule below should fire on your reproducer if you include the RTTI strings.

Deployable Signatures

YARA

rule remotepe_lazarus_rtti {
    meta:
        description = "RemotePE Lazarus backdoor - plugin RTTI and telemetry masquerade"
        author = "pp-hermes"
        date = "2026-06-04"
        sha256 = "710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8"
    strings:
        $a1 = ".?AVIController@@" ascii
        $a2 = ".?AVIConfigProfile@@" ascii
        $a3 = ".?AVIKernelModule@@" ascii
        $a4 = ".?AVIConsole@@" ascii
        $a5 = ".?AVIFileExplorer@@" ascii
        $a6 = ".?AVIProcess@@" ascii
        $a7 = ".?AVITimer@@" ascii
        $a8 = ".?AVIChannelController@@" ascii
        $a9 = ".?AVIPing@@" ascii
        $a10 = ".?AVIMiddleController@@" ascii
        $b1 = "MicrosoftApplicationsTelemetryDeviceId" ascii
        $b2 = "odata.metadata" ascii
        $b3 = "armAuthorization" ascii
        $b4 = "ai_session" ascii
        $b5 = "{ \"%s\": \"%s\" }" ascii
        $b6 = "en-US,en;q=0.9" ascii
    condition:
        uint16(0) == 0x5A4D and
        5 of ($a1-$a10) and
        3 of ($b1-$b6)
}

Sigma

title: RemotePE Backdoor Network Beaconing
description: Detects HTTP requests with distinctive Azure Application Insights masquerade cookies and JSON content-type, consistent with RemotePE C2 communication.
status: experimental
logsource:
    category: proxy
detection:
    selection:
        cs-content-type|contains: 'application/json'
        cs-cookie|contains:
            - 'MicrosoftApplicationsTelemetryDeviceId'
            - 'ai_session'
            - 'armAuthorization'
            - 'odata.metadata'
    condition: selection
falsepositives:
    - Rare legitimate Azure telemetry endpoints in non-Azure environments
level: medium

IOC List

Type Value Source
SHA-256 710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8 metadata
SHA-1 b3fdbc48f16a5a574d5ab6cf4f4842e8710f1530 (prefix) pefile
File Type PE32+ x64 DLL, GUI subsystem file.txt
Compile Time 2024-05-11 00:20:54 UTC pefile
Import Hash Implied by WININET+CRYPT32+bcrypt+Cabinet+SHLWAPI+WTSAPI32+USERENV+ADVAPI32 profile pefile
RTTI Classes IController, IConfigProfile, IKernelModule, IConsole, IFileExplorer, IProcess, ITimer, IChannelController, IPing, IMiddleController strings.txt:1471-1520
Masquerade Strings MicrosoftApplicationsTelemetryDeviceId, odata.metadata, armAuthorization, ai_session strings.txt:1013-1022
Cookie Format %s=cid=%s-c1=2-c2=2-c3=2; %s=%s; %s=GUID=%08lx...&HASH=%04x&LV=%04d%02d&V=4&LU=%d strings.txt:1029

Behavioral Fingerprint

This DLL loads into a host process (likely via rundll32 or reflective injection), initializes a TLS callback, then spawns a background thread that instantiates a plugin controller hierarchy. Within 60 seconds of thread start it opens a WININET session, constructs HTTP headers masquerading as Azure Application Insights telemetry (including JSON Content-Type and fake session/device cookies), and exchanges data with a remote server. Simultaneously it may call DuplicateTokenEx and CreateProcessAsUserW to spawn child processes under stolen interactive-user tokens.

Detection Signatures

  • ATT&CK T1071.001 — Application Layer Protocol: Web Protocols (HTTP C2 beaconing) ^[pefile.txt:258-267]
  • ATT&CK T1059.003 — Windows Command Shell (IConsole plugin implies remote shell) ^[strings.txt:1514]
  • ATT&CK T1083 — File and Directory Discovery (IFileExplorer plugin) ^[strings.txt:1515]
  • ATT&CK T1057 — Process Discovery (IProcess plugin) ^[strings.txt:1516]
  • ATT&CK T1134 — Access Token Manipulation (DuplicateTokenEx + CreateProcessAsUserW) ^[pefile.txt:465-476]
  • ATT&CK T1078 — Valid Accounts (token theft for lateral movement) ^[pefile.txt:314-315]
  • ATT&CK T1036.005 — Match Legitimate Name or Location (telemetry header masquerade) ^[strings.txt:1013-1029]
  • ATT&CK T1001.003 — Data Obfuscation: Protocol Impersonation (Azure telemetry cookie impersonation) ^[strings.txt:1013-1029]
  • ATT&CK T1560 — Archive Collected Data (libzippp + Cabinet for compression) ^[strings.txt:1498] ^[pefile.txt:290-292]
  • ATT&CK T1543 — Create or Modify System Process (NtCreateUserProcess native API) ^[strings.txt:1140-1143]
  • ATT&CK T1070.004 — File Deletion Indicator — MoveFileExW with delayed rename is imported ^[pefile.txt:384]

References

  • OpenCTI artifact: f11ddafe-3083-4f56-86c0-645dfa500d73 ^[metadata.json]
  • MalwareBazaar label: lazarus / remotepe ^[metadata.json]
  • Related wiki pages: lazarus, remotepe

Provenance

Analysis conducted on pp-hermes using:

  • Static: file, exiftool, pefile, strings, radare2 (rabin2 -I), yara (generic rules), binwalk.
  • Disassembly: Ghidra via pyghidra-mcp (auto-analysis, decompilation of entry and thread functions).
  • Capa not available (signature path missing, triage infrastructure issue).
  • No CAPE detonation performed: no Windows guest available at time of analysis.