Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ENDIDEV.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.202929389670869
Filename:	ENDIDEV.exe
Filesize:	189440
MD5:	4b4106cbe0cbf4ca771a185abaf54362
SHA1:	b0e595390c77b313a08a81df366a2ba3f8e683b4
SHA256:	5d529ebadf935d071cd64d97ab459aa12766af1063cb2fc067cff5c118dff2fa
SHA512:	c268a4419b178bebc57bf9814e01c276b3c3f52115273a0a2921c8fcc9da07806fe85c14590f56b4729dd06a028d4ba59dc100a1b1aeb7f62f5abf3e832516e6
SSDEEP:	3072:fDKW1LgppLRHMY0TBfJvjcTp5XGGnH/K+Q9jCL:fDKW1Lgbdl0TBBvjc/L9Q5y
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~................@@......PE..L...t..P..........#........

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Software Packing Security Software Discovery
Machine Learning detection for sample	AV Detection	Security Software Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)	Malware Analysis System Evasion, Anti Debugging	Security Software Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion	Security Software Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains an invalid checksum	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Security Software Discovery
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools Security Software Discovery
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading Security Software Discovery
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools Security Software Discovery
Creates mutexes	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Might use command line arguments	System Summary	Command and Scripting Interpreter Masquerading Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary	Security Software Discovery
Sample is known by Antivirus	System Summary	Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ENDIDEV.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ENDIDEV.exe.log
Category:	dropped
Dump:	ENDIDEV.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\ENDIDEV.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.361827289088002
Encrypted:	false
Ssdeep:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
Size:	410
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ENDIDEV.exe

"C:\Users\user\Desktop\ENDIDEV.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7304
Target ID:	0
Parent PID:	2580
Name:	ENDIDEV.exe
Path:	C:\Users\user\Desktop\ENDIDEV.exe
Commandline:	"C:\Users\user\Desktop\ENDIDEV.exe"
Size:	189440
MD5:	4B4106CBE0CBF4CA771A185ABAF54362
Time:	23:13:04
Date:	17/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	208896
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

3575000

trusted library allocation

page read and write

2500000

trusted library section

page read and write

689000

heap

page read and write

49F0000

trusted library section

page read and write

20D0000

heap

page read and write

25A1000

trusted library allocation

page read and write

6AF000

heap

page read and write

49B6000

trusted library allocation

page read and write

6A5000

heap

page read and write

709000

heap

page read and write

21D0000

trusted library allocation

page read and write

6B6000

heap

page read and write

5580000

trusted library allocation

page read and write

623000

trusted library allocation

page read and write

59EF000

stack

page read and write

5590000

trusted library allocation

page execute and read and write

22B0000

heap

page read and write

2571000

trusted library allocation

page read and write

49E5000

trusted library allocation

page read and write

2550000

trusted library allocation

page read and write

49BE000

trusted library allocation

page read and write

5AE2000

heap

page read and write

6B7000

heap

page read and write

713000

heap

page read and write

2530000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

25D1000

trusted library allocation

page read and write

5AA0000

heap

page read and write

6B8000

heap

page read and write

5570000

trusted library allocation

page read and write

5170000

trusted library allocation

page read and write

52E0000

trusted library allocation

page read and write

4A40000

trusted library allocation

page read and write

520000

heap

page read and write

6AC000

heap

page read and write

401000

unkown

page execute read

5270000

trusted library allocation

page read and write

49BC000

trusted library allocation

page read and write

25AB000

trusted library allocation

page read and write

2260000

heap

page read and write

5240000

trusted library allocation

page read and write

6AF000

heap

page read and write

6A6000

heap

page read and write

5180000

trusted library allocation

page read and write

259D000

trusted library allocation

page read and write

663000

heap

page read and write

4A71000

trusted library allocation

page read and write

6D8000

heap

page read and write

3571000

trusted library allocation

page read and write

53CE000

stack

page read and write

22BA000

heap

page read and write

4A80000

trusted library allocation

page read and write

6F30000

trusted library allocation

page read and write

538F000

stack

page read and write

22B6000

heap

page read and write

25DF000

trusted library allocation

page read and write

52B0000

trusted library allocation

page read and write

701000

heap

page read and write

6C6000

heap

page read and write

25CF000

trusted library allocation

page read and write

21F7000

trusted library allocation

page execute and read and write

6D3000

heap

page read and write

5260000

trusted library allocation

page read and write

21D6000

trusted library allocation

page execute and read and write

24A0000

heap

page read and write

2540000

trusted library allocation

page read and write

92F000

stack

page read and write

225E000

stack

page read and write

5213000

trusted library allocation

page read and write

716000

heap

page read and write

21DA000

trusted library allocation

page execute and read and write

5190000

trusted library allocation

page read and write

6A0000

heap

page read and write

630000

heap

page read and write

4A90000

heap

page execute and read and write

49C4000

trusted library allocation

page read and write

6AF000

heap

page read and write

21E0000

heap

page read and write

701000

heap

page read and write

466D000

stack

page read and write

68A000

heap

page read and write

49B4000

trusted library allocation

page read and write

2560000

heap

page execute and read and write

25D7000

trusted library allocation

page read and write

25A9000

trusted library allocation

page read and write

4B9F000

stack

page read and write

678000

heap

page read and write

51A0000

trusted library allocation

page read and write

2588000

trusted library allocation

page read and write

61D000

trusted library allocation

page execute and read and write

6C2000

heap

page read and write

690000

heap

page read and write

6FD000

heap

page read and write

62D000

trusted library allocation

page execute and read and write

4A60000

trusted library allocation

page read and write

6EE000

heap

page read and write

69A000

heap

page read and write

2580000

trusted library allocation

page read and write

5A5000

heap

page read and write

5EE000

stack

page read and write

432000

unkown

page readonly

426000

unkown

page read and write

6BD000

heap

page read and write

25DB000

trusted library allocation

page read and write

25C6000

trusted library allocation

page read and write

4A80000

trusted library allocation

page read and write

566E000

stack

page read and write

63A000

heap

page read and write

5580000

trusted library allocation

page read and write

6B6000

heap

page read and write

5160000

trusted library allocation

page read and write

6B6000

heap

page read and write

4A20000

trusted library allocation

page read and write

51E0000

trusted library allocation

page read and write

25C4000

trusted library allocation

page read and write

70B000

heap

page read and write

700000

heap

page read and write

6F0000

heap

page read and write

49D9000

trusted library allocation

page read and write

41B000

unkown

page readonly

4A6E000

stack

page read and write

51F0000

trusted library allocation

page read and write

712000

heap

page read and write

5200000

trusted library allocation

page read and write

2210000

trusted library allocation

page read and write

2360000

trusted library allocation

page execute and read and write

25D9000

trusted library allocation

page read and write

56E000

stack

page read and write

528E000

stack

page read and write

52C0000

trusted library allocation

page read and write

426000

unkown

page readonly

25BE000

trusted library allocation

page read and write

25A5000

trusted library allocation

page read and write

4A10000

trusted library allocation

page read and write

52D0000

trusted library allocation

page read and write

70B000

heap

page read and write

51D0000

trusted library allocation

page read and write

52A0000

trusted library allocation

page read and write

258C000

trusted library allocation

page read and write

2550000

trusted library allocation

page read and write

5220000

trusted library allocation

page read and write

66B000

heap

page read and write

55A0000

heap

page read and write

56AE000

stack

page read and write

21FB000

trusted library allocation

page execute and read and write

4A77000

trusted library allocation

page read and write

4A30000

trusted library allocation

page read and write

25A7000

trusted library allocation

page read and write

249F000

stack

page read and write

400000

unkown

page readonly

41B000

unkown

page readonly

57EF000

stack

page read and write

258E000

trusted library allocation

page read and write

22AC000

stack

page read and write

610000

trusted library allocation

page read and write

580000

heap

page read and write

600000

trusted library allocation

page read and write

5150000

trusted library allocation

page read and write

614000

trusted library allocation

page read and write

69C000

heap

page read and write

2577000

trusted library allocation

page read and write

25BA000

trusted library allocation

page read and write

713000

heap

page read and write

70F000

heap

page read and write

6FD000

heap

page read and write

2584000

trusted library allocation

page read and write

620000

trusted library allocation

page read and write

2520000

trusted library allocation

page read and write

5AB4000

heap

page read and write

6CA000

heap

page read and write

2370000

trusted library allocation

page read and write

25D5000

trusted library allocation

page read and write

24FE000

stack

page read and write

51C0000

trusted library allocation

page read and write

82F000

stack

page read and write

6D8000

heap

page read and write

6D0000

heap

page read and write

2586000

trusted library allocation

page read and write

21F0000

trusted library allocation

page read and write

5A0000

heap

page read and write

49DD000

trusted library allocation

page read and write

613000

trusted library allocation

page execute and read and write

6B0000

heap

page read and write

431000

unkown

page read and write

5571000

trusted library allocation

page read and write

49C8000

trusted library allocation

page read and write

25AD000

trusted library allocation

page read and write

49B0000

trusted library allocation

page read and write

422000

unkown

page write copy

5AB0000

heap

page read and write

440000

heap

page read and write

25DD000

trusted library allocation

page read and write

58EF000

stack

page read and write

49CE000

trusted library allocation

page read and write

6B6000

heap

page read and write

6C1000

heap

page read and write

51B0000

trusted library allocation

page read and write

6CC000

heap

page read and write

2582000

trusted library allocation

page read and write

49D6000

trusted library allocation

page read and write

258A000

trusted library allocation

page read and write

401000

unkown

page execute read

21E4000

heap

page read and write

25C0000

trusted library allocation

page read and write

259F000

trusted library allocation

page read and write

6F20000

heap

page read and write

198000

stack

page read and write

5210000

trusted library allocation

page read and write

4A50000

trusted library allocation

page read and write

49E2000

trusted library allocation

page read and write

49D1000

trusted library allocation

page read and write

2530000

trusted library allocation

page read and write

2390000

heap

page read and write

422000

unkown

page read and write

4A47000

trusted library allocation

page read and write

6C4000

heap

page read and write

5230000

trusted library allocation

page read and write

400000

unkown

page readonly

25E2000

trusted library allocation

page read and write

6FD000

heap

page read and write

2591000

trusted library allocation

page read and write

25BC000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

524F000

stack

page read and write

6BB000

heap

page read and write

52A5000

trusted library allocation

page read and write

54CF000

stack

page read and write

63E000

heap

page read and write

25A3000

trusted library allocation

page read and write

4A70000

trusted library allocation

page read and write

56EE000

stack

page read and write

6AC000

heap

page read and write

6BF000

heap

page read and write

5250000

trusted library allocation

page read and write

698000

heap

page read and write

99000

stack

page read and write

717000

heap

page read and write

There are 227 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ENDIDEV.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportENDIDEV.exe

Files

Processes

Memdumps

IOC Report
ENDIDEV.exe