> Family · Unclassified PE32+ — large MSVC C++ binaries with TLS callbacks and minimal IAT_

~/packetpursuit $ cat /intel/families/unclassified-pe32plus.md

typeentityconfidencelowcreated2026-05-31updated2026-05-31malware-familyloaderpecompilerevasionanti-debugunclassifiedmsvccpptls-callbackmitsre-attck

unclassified-pe32plus

Overview

Placeholder entity for a class of unusually large (> 5 MB) MSVC C++ PE32+ binaries that share structural traits: TLS callback arrays, minimal static strings, standard populated IAT (restricted to KERNEL32), RWX .fptable scratchpad, and no recoverable C2 indicators. Currently populated by a single sample (0b6a849a68a48f7301c3459a7771378e458e2d5debce9376be350784c61b72b7) that was falsely co-labeled hippamsascom / sunwukong by OpenCTI / MalwareBazaar. The misattribution is documented; family remains unclassified pending additional siblings.

Build Stack

  • Language / Toolchain: C++ via MSVC 14.41 (VS 2022), CRT + STL exception framework ^[sample 0b6a849a/rabin2-info.txt], ^[sample 0b6a849a/strings.txt:1431-1437]
  • Arch: PE32+ x86-64, Windows GUI subsystem ^[sample 0b6a849a/file.txt]
  • IAT: Populated, only KERNEL32.dll (61 imports). No ADVAPI32, WS2_32, SHELL32, etc. ^[sample 0b6a849a/pefile.txt:268-358]
  • Signing: None ^[sample 0b6a849a/rabin2-info.txt]
  • Exports: Zero-length export directory ^[sample 0b6a849a/pefile.txt:219-221]
  • Masquerade: None. No RT_VERSION resource. No fabricated company/product info. ^[sample 0b6a849a/pefile.txt:360+]
  • TLS callbacks: 8 entries at VA 0x1404f9338 ^[raw/analyses/0b6a849a68a48f7301c3459a7771378e458e2d5debce9376be350784c61b72b7/dump_tls.py]
  • RWX scratchpad: .fptable section, 512 bytes raw, all zeroes on disk, RWX at runtime ^[sample 0b6a849a/pefile.txt:157-175]

Capabilities

  • tls-callback-array-anti-analysis
  • kernel32-only-iat
  • loadlibrary-getprocaddress-dynamic-resolution
  • fptable-rwx-scratchpad
  • isdebuggerpresent-static-import
  • virtualprotect-static-import
  • no-masquerade-version-info
  • no-signed-authenticode
  • no-static-c2-iocs

Deploy / TTPs

Technique ID Evidence
Debugger Detection T1622 IsDebuggerPresent in IAT ^[sample 0b6a849a/pefile.txt:299]
Obfuscated Files / Information T1027 5.2 MB .text with ~1,500 recoverable strings ^[sample 0b6a849a/strings.txt]
Software Packing T1027.002 .fptable RWX section; possible in-memory payload staging ^[sample 0b6a849a/pefile.txt:157-175]
Native API T1106 LoadLibraryA + GetProcAddress for dynamic resolution ^[sample 0b6a849a/pefile.txt:279,281]
Process Injection — inferred T1055 VirtualProtect + RWX .fptable suggests in-memory payload staging ^[sample 0b6a849a/pefile.txt:349]
Evade Detection T1497 8 TLS callbacks execute before main() / before hooks ^[raw/analyses/0b6a849a68a48f7301c3459a7771378e458e2d5debce9376be350784c61b72b7/dump_tls.py]

Known False-Positive Attributions

This entity exists because the single observed sample (0b6a849a68a4) was co-labeled hippamsascom / sunwukong by OpenCTI and MalwareBazaar. Structural comparison shows no kinship with that cluster. The mislabeling is stored here as a note for future analysts.

Notable Analyses

  • /intel/analyses/0b6a849a68a48f7301c3459a7771378e458e2d5debce9376be350784c61b72b7.html — 0b6a849a68a4, 5.9 MB MSVC C++ PE32+, TLS callbacks, empty C2 footprint, falsely attributed

Related

  • hippamsascom — cluster this sample was co-labeled with; structurally incompatible (see hippamsascom.md "Known false-positive attributions" section)
  • tls-callback-anti-analysis — build/RE technique for pre-main TLS execution
  • peb-walking-api-resolution — not present in this sample, but contrast with hippamsascom technique