Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ENDEV.exe

Overview

General Information

Sample Name:ENDEV.exe
Analysis ID:1330698
MD5:a1950243a73b32f619fdf441bc1d9992
SHA1:e8f3be1fc95d8019c24067c061985fc583c71c29
SHA256:62f1fefe3599869bdafb14b9d86681b7107f1b1caf419258a4e767bdd1554969
Infos:

Detection

RedLine
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

  • System is w10x64
  • ENDEV.exe (PID: 6988 cmdline: C:\Users\user\Desktop\ENDEV.exe MD5: A1950243A73B32F619FDF441BC1D9992)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
No configs have been found
SourceRuleDescriptionAuthorStrings
ENDEV.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    ENDEV.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 77 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.
    SourceRuleDescriptionAuthorStrings
    0.0.ENDEV.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      0.0.ENDEV.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
      • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
      • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
      • 0x700:$s3: 83 EC 38 53 B0 77 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
      • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
      • 0x1e9d0:$s5: delete[]
      • 0x1de88:$s6: constructor or from DllMain.
      0.2.ENDEV.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0.2.ENDEV.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x700:$s3: 83 EC 38 53 B0 77 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1e9d0:$s5: delete[]
        • 0x1de88:$s6: constructor or from DllMain.
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: ENDEV.exeAvira: detected
        Source: ENDEV.exeReversingLabs: Detection: 81%
        Source: ENDEV.exeJoe Sandbox ML: detected
        Source: ENDEV.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
        Source: Binary string: ENDEV.pdb source: ENDEV.exe, 00000000.00000002.1677041680.0000000002550000.00000004.08000000.00040000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678992808.00000000051F0000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: ENDEV.pdbX source: ENDEV.exe, 00000000.00000002.1677041680.0000000002550000.00000004.08000000.00040000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678992808.00000000051F0000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: _.pdb source: ENDEV.exe, 00000000.00000002.1677041680.0000000002550000.00000004.08000000.00040000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1665975467.00000000005F1000.00000004.00000020.00020000.00000000.sdmp

        System Summary

        barindex
        Source: ENDEV.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
        Source: 0.0.ENDEV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
        Source: 0.2.ENDEV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
        Source: ENDEV.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
        Source: ENDEV.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
        Source: 0.0.ENDEV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
        Source: 0.2.ENDEV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
        Source: ENDEV.exe, 00000000.00000003.1663827433.0000000000639000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000002.1677970623.0000000002652000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000002.1677970623.0000000002652000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000002.1677970623.0000000002652000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000003.1663738355.0000000000624000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs ENDEV.exe
        Source: ENDEV.exe, 00000000.00000003.1665975467.00000000005F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs ENDEV.exe
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00408C600_2_00408C60
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040DC110_2_0040DC11
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00407C3F0_2_00407C3F
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00418CCC0_2_00418CCC
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00406CA00_2_00406CA0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004028B00_2_004028B0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0041A4BE0_2_0041A4BE
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00408C600_2_00408C60
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004182440_2_00418244
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004016500_2_00401650
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00402F200_2_00402F20
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004193C40_2_004193C4
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004187880_2_00418788
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00402F890_2_00402F89
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00402B900_2_00402B90
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004073A00_2_004073A0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0224D4E80_2_0224D4E8
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_02240DA00_2_02240DA0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_02240D900_2_02240D90
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_058A0DC00_2_058A0DC0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_058A04F00_2_058A04F0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_058A01A80_2_058A01A8
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: String function: 0040E1D8 appears 43 times
        Source: ENDEV.exeReversingLabs: Detection: 81%
        Source: ENDEV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\ENDEV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
        Source: C:\Users\user\Desktop\ENDEV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
        Source: C:\Users\user\Desktop\ENDEV.exeCommand line argument: 08A0_2_00413780
        Source: C:\Users\user\Desktop\ENDEV.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ENDEV.exe.logJump to behavior
        Source: classification engineClassification label: mal84.troj.evad.winEXE@1/1@0/0
        Source: 0.3.ENDEV.exe.5da628.0.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.3.ENDEV.exe.5da628.0.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.3.ENDEV.exe.5da628.0.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.35e6478.7.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.35e6478.7.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.35e6478.7.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.51f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.51f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.51f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.2320f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.2320f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.ENDEV.exe.2320f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
        Source: ENDEV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: ENDEV.pdb source: ENDEV.exe, 00000000.00000002.1677041680.0000000002550000.00000004.08000000.00040000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678992808.00000000051F0000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: ENDEV.pdbX source: ENDEV.exe, 00000000.00000002.1677041680.0000000002550000.00000004.08000000.00040000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678992808.00000000051F0000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: _.pdb source: ENDEV.exe, 00000000.00000002.1677041680.0000000002550000.00000004.08000000.00040000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1664197921.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1676441813.00000000022E0000.00000004.00000020.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000002.1678809526.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, ENDEV.exe, 00000000.00000003.1665975467.00000000005F1000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Source: 0.3.ENDEV.exe.5da628.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        Source: 0.2.ENDEV.exe.35e6478.7.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        Source: 0.2.ENDEV.exe.51f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        Source: 0.2.ENDEV.exe.2320f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        Source: 0.2.ENDEV.exe.2550f08.4.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        Source: 0.2.ENDEV.exe.35fd990.5.raw.unpack, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        Source: ENDEV.exeStatic PE information: real checksum: 0x23bfb should be: 0x3abdc
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040E21D push ecx; ret 0_2_0040E230
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040BB97 push dword ptr [ecx-75h]; iretd 0_2_0040BBA3
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_022450E9 push esi; ret 0_2_022450EF
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
        Source: 0.3.ENDEV.exe.5da628.0.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'sooJbsp5A', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
        Source: 0.2.ENDEV.exe.35e6478.7.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'sooJbsp5A', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
        Source: 0.2.ENDEV.exe.51f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'sooJbsp5A', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
        Source: 0.2.ENDEV.exe.2320f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'sooJbsp5A', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
        Source: 0.2.ENDEV.exe.2550f08.4.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'sooJbsp5A', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
        Source: 0.2.ENDEV.exe.35fd990.5.raw.unpack, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'sooJbsp5A', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * From Win32_NetworkAdapter
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;0&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;0&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;1&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;2&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;2&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;3&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;3&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;4&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;4&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;5&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;5&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;6&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;6&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;7&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;7&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;8&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;8&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;9&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;9&quot;::Enable
        Source: C:\Users\user\Desktop\ENDEV.exe TID: 7044Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
        Source: C:\Users\user\Desktop\ENDEV.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-14561
        Source: C:\Users\user\Desktop\ENDEV.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,0_2_0040ADB0
        Source: C:\Users\user\Desktop\ENDEV.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040E61C
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00416F6A
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,0_2_004123F1
        Source: C:\Users\user\Desktop\ENDEV.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: GetLocaleInfoA,0_2_00417A20
        Source: C:\Users\user\Desktop\ENDEV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\ENDEV.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00412A15

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: ENDEV.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.ENDEV.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.ENDEV.exe.400000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: ENDEV.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.ENDEV.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.ENDEV.exe.400000.0.unpack, type: UNPACKEDPE
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Windows Management Instrumentation
        Path InterceptionPath Interception1
        Masquerading
        OS Credential Dumping1
        System Time Discovery
        Remote Services11
        Archive Collected Data
        Exfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts2
        Command and Scripting Interpreter
        Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Disable or Modify Tools
        LSASS Memory13
        Security Software Discovery
        Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain Accounts2
        Native API
        Logon Script (Windows)Logon Script (Windows)121
        Virtualization/Sandbox Evasion
        Security Account Manager121
        Virtualization/Sandbox Evasion
        SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
        Deobfuscate/Decode Files or Information
        NTDS1
        Process Discovery
        Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information
        LSA Secrets23
        System Information Discovery
        SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Software Packing
        Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        This section contains all screenshots a