Windows Analysis Report
ENDIDEV.exe

Overview

General Information

Sample name: ENDIDEV.exe
Analysis ID: 1427668
MD5: 4b4106cbe0cbf4ca771a185abaf54362
SHA1: b0e595390c77b313a08a81df366a2ba3f8e683b4
SHA256: 5d529ebadf935d071cd64d97ab459aa12766af1063cb2fc067cff5c118dff2fa
Tags: exeKamruiredline
Infos:

Detection

PureLog Stealer, RedLine
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ENDIDEV.exe ReversingLabs: Detection: 50%
Machine Learning detection for sample
Source: ENDIDEV.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: ENDIDEV.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ENDIDEV.exe, 00000000.00000003.1697566514.00000000006F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ENDIDEV.exe, 00000000.00000003.1740565281.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741300902.00000000006B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ENDEV.pdb source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: _.pdb source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1696604578.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb{b source: ENDIDEV.exe, 00000000.00000003.1697566514.00000000006F0000.00000004.00000020.00020000.00000000.sdmp

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: ENDIDEV.exe, type: SAMPLE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_00408C60 0_2_00408C60
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_0040DC11 0_2_0040DC11
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_00407C3F 0_2_00407C3F
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_00418CCC 0_2_00418CCC
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_00406CA0 0_2_00406CA0
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_004028B0 0_2_004028B0
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_0041A4BE 0_2_0041A4BE
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_00408C60 0_2_00408C60
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_00418244 0_2_00418244
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_00401650 0_2_00401650
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_00402F20 0_2_00402F20
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_004193C4 0_2_004193C4
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_00418788 0_2_00418788
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_00402F89 0_2_00402F89
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_00402B90 0_2_00402B90
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_004073A0 0_2_004073A0
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_023614B5 0_2_023614B5
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_02361493 0_2_02361493
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_02360DA0 0_2_02360DA0
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_02360D91 0_2_02360D91
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_05590470 0_2_05590470
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_05590480 0_2_05590480
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: String function: 0040E1D8 appears 43 times
Sample file is different than original file name gathered from version info
Source: ENDIDEV.exe, 00000000.00000003.1693799935.00000000006D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000003.1693601906.00000000006D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000003.1696604578.00000000006A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000000.1692701756.0000000000426000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000002.1741812100.00000000025E2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclrjit.dllT vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000002.1741812100.00000000025E2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs ENDIDEV.exe
Source: ENDIDEV.exe, 00000000.00000002.1741812100.00000000025E2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $kq,\\StringFileInfo\\040904B0\\OriginalFilename vs ENDIDEV.exe
Source: ENDIDEV.exe Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe
Uses 32bit PE files
Source: ENDIDEV.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: ENDIDEV.exe, type: SAMPLE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Source: C:\Users\user\Desktop\ENDIDEV.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ENDIDEV.exe.log Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Mutant created: NULL
Source: C:\Users\user\Desktop\ENDIDEV.exe Command line argument: 08A 0_2_00413780
Source: ENDIDEV.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ENDIDEV.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ENDIDEV.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: ENDIDEV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ENDIDEV.exe, 00000000.00000003.1697566514.00000000006F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ENDIDEV.exe, 00000000.00000003.1740565281.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741300902.00000000006B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ENDEV.pdb source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: _.pdb source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1696604578.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb{b source: ENDIDEV.exe, 00000000.00000003.1697566514.00000000006F0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.ENDIDEV.exe.2110f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.ENDIDEV.exe.358d590.7.raw.unpack, gBMthepoZSL1ZVKpeA.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
PE file contains an invalid checksum
Source: ENDIDEV.exe Static PE information: real checksum: 0x23bfb should be: 0x37016
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_0040E21D push ecx; ret 0_2_0040E230
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_0040BB97 push dword ptr [ecx-75h]; iretd 0_2_0040BBA3
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_023644EB push edi; iretd 0_2_023644EE
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_023650DF push esp; ret 0_2_023650F1
Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.cs High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.cs High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.cs High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
Source: 0.2.ENDIDEV.exe.2110f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.cs High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
Source: 0.2.ENDIDEV.exe.358d590.7.raw.unpack, gBMthepoZSL1ZVKpeA.cs High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ENDIDEV.exe Memory allocated: 2270000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Memory allocated: 2570000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Memory allocated: 22C0000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ENDIDEV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\ENDIDEV.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ENDIDEV.exe TID: 7324 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040CE09
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree, 0_2_0040ADB0
Enables debug privileges
Source: C:\Users\user\Desktop\ENDIDEV.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040CE09
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040E61C
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00416F6A
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_004123F1 SetUnhandledExceptionFilter, 0_2_004123F1
Source: C:\Users\user\Desktop\ENDIDEV.exe Memory allocated: page read and write | page guard Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: GetLocaleInfoA, 0_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ENDIDEV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ENDIDEV.exe Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00412A15
Source: C:\Users\user\Desktop\ENDIDEV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.358d590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2110f8e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.49f0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2110086.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2110f8e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2110086.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.358d590.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.3576478.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.3575570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.3575570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2500000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.ENDIDEV.exe.689b38.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2500f08.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: ENDIDEV.exe, type: SAMPLE
Source: Yara match File source: 0.0.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.358d590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2110f8e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.49f0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2110086.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2110f8e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2110086.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.358d590.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.3576478.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.3575570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.3575570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2500000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.ENDIDEV.exe.689b38.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.2500f08.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: ENDIDEV.exe, type: SAMPLE
Source: Yara match File source: 0.0.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1427668 Sample: ENDIDEV.exe Startdate: 17/04/2024 Architecture: WINDOWS Score: 80 7 Malicious sample detected (through community Yara rule) 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected PureLog Stealer 2->11 13 3 other signatures 2->13 5 ENDIDEV.exe 1 2->5         started        process3
No contacted IP infos