Windows Analysis Report
recibo.exe

Overview

General Information

Sample Name:	recibo.exe
Analysis ID:	635097
MD5:	4680729edca682d1b6de8cf875bbfdf5
SHA1:	debf5126050330ecbfc29582d979101cd557dd42
SHA256:	e18032a74c8138c907ab2b6937ce66a4483a85e89b05a25153499efee4e85898
Tags:	exe
Infos:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Detected potential crypto function

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.761876778.0000000002A50000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1EX-TfU9P_N_SsQAtVtT8-t2zzMXng6WS"}

Multi AV Scanner detection for submitted file

Source: recibo.exe	Virustotal: Detection: 55%	Perma Link
Source: recibo.exe	Metadefender: Detection: 25%	Perma Link
Source: recibo.exe	ReversingLabs: Detection: 50%

Uses 32bit PE files

Source: recibo.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\recibo.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\dado

Jump to behavior

Source: recibo.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: lgpllibs.pdb source: lgpllibs.dll.0.dr
Source:	Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\devapi\Win8Beta\x64\bin\vm3ddevapi64-debug.pdb source: vm3ddevapi64-debug.dll.0.dr
Source:	Binary string: C:\dev\UCDE\hallasan_gothamjarvis_4\ThirdParty\POG\HP.SmartApp.UCDE.Win32.Lib\HP.SmartApp.UCDE.Win32.Exe\obj\x64\Release\HPSUPD-Win32Exe.pdb source: HPSUPD-Win32Exe.exe.0.dr

Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local\Temp\FLADBARMEDES.tub	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local\Temp\Rekorddage.Res7	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1EX-TfU9P_N_SsQAtVtT8-t2zzMXng6WS

Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: lgpllibs.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: lgpllibs.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: lgpllibs.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: lgpllibs.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: recibo.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: lgpllibs.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: iso_639-3.xml.0.dr	String found in binary or memory: http://www.sil.org/iso639-3/
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://www.vmware.com/0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://www.vmware.com/0/
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: lgpllibs.dll.0.dr	String found in binary or memory: https://mozilla.org0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\recibo.exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

Uses 32bit PE files

Source: recibo.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

PE file does not import any functions

Source: HPSUPD-Win32Exe.exe.0.dr

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamevm3ddevapi64-release.dll> vs recibo.exe

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\recibo.exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_732A1BFF	0_2_732A1BFF

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\recibo.exe

Process Stats: CPU usage > 98%

Source: recibo.exe	Virustotal: Detection: 55%
Source: recibo.exe	Metadefender: Detection: 25%
Source: recibo.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\recibo.exe

File read: C:\Users\user\Desktop\recibo.exe

Jump to behavior

Source: recibo.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\recibo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\recibo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\recibo.exe

0_2_0040352D

Source: C:\Users\user\Desktop\recibo.exe

File created: C:\Users\user\AppData\Local\Temp\nst55CD.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/11@0/0

Source: C:\Users\user\Desktop\recibo.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\recibo.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\recibo.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: C:\Users\user\Desktop\recibo.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\dado

Jump to behavior

Source: recibo.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: lgpllibs.pdb source: lgpllibs.dll.0.dr
Source:	Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\devapi\Win8Beta\x64\bin\vm3ddevapi64-debug.pdb source: vm3ddevapi64-debug.dll.0.dr
Source:	Binary string: C:\dev\UCDE\hallasan_gothamjarvis_4\ThirdParty\POG\HP.SmartApp.UCDE.Win32.Lib\HP.SmartApp.UCDE.Win32.Exe\obj\x64\Release\HPSUPD-Win32Exe.pdb source: HPSUPD-Win32Exe.exe.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.761876778.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\recibo.exe

Code function: 0_2_732A30C0 push eax; ret

0_2_732A30EE

PE file contains sections with non-standard names

Source: vm3ddevapi64-debug.dll.0.dr	Static PE information: section name: .didat
Source: vm3ddevapi64-debug.dll.0.dr	Static PE information: section name: .gehcont
Source: vm3ddevapi64-debug.dll.0.dr	Static PE information: section name: _RDATA
Source: lgpllibs.dll.0.dr	Static PE information: section name: .00cfg

Binary contains a suspicious time stamp

Source: HPSUPD-Win32Exe.exe.0.dr

Static PE information: 0x8CC4634B [Wed Nov 2 06:25:15 2044 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\recibo.exe

Code function: 0_2_732A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_732A1BFF

Drops PE files

Source: C:\Users\user\Desktop\recibo.exe	File created: C:\Users\user\AppData\Local\Temp\HPSUPD-Win32Exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\recibo.exe	File created: C:\Users\user\AppData\Local\Temp\nso5699.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\recibo.exe	File created: C:\Users\user\AppData\Local\Temp\vm3ddevapi64-debug.dll	Jump to dropped file
Source: C:\Users\user\Desktop\recibo.exe	File created: C:\Users\user\AppData\Local\Temp\lgpllibs.dll	Jump to dropped file

Source: C:\Users\user\Desktop\recibo.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\recibo.exe

RDTSC instruction interceptor: First address: 0000000002A526F8 second address: 0000000002A526F8 instructions: 0x00000000 rdtsc 0x00000002 test ch, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007EFE6051EC00h 0x00000008 cmp ch, dh 0x0000000a cmp edx, eax 0x0000000c inc ebp 0x0000000d test ebx, ecx 0x0000000f inc ebx 0x00000010 test ah, ah 0x00000012 rdtsc

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\recibo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\HPSUPD-Win32Exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\recibo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vm3ddevapi64-debug.dll	Jump to dropped file
Source: C:\Users\user\Desktop\recibo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lgpllibs.dll	Jump to dropped file

Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\recibo.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\recibo.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local\Temp\FLADBARMEDES.tub	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local\Temp\Rekorddage.Res7	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: CompanyNameVMware, Inc.j!
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: noreply@vmware.com0
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: http://www.vmware.com/0
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: FileDescriptionVMware SVGA 3D Device API Module:
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: VMware, Inc.
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: VMware, Inc.1!0
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: ?d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\lib\raster\bits2pixels.cd:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\lib\umlib\log.cC:\vm3dum_log\vm3dum%s_%d-%d.logwtC:\vm3dum_log\vm3dum*.log%.4d-%.2d-%.2dT%.2d:%.2d:%.2d.%.4d\| Thread ID: %d \|%s%sDXUM%s: Software\VMware, Inc.\VMware SVGADebugSearchPathEXCEPTION_ACCESS_VIOLATIONEXCEPTION_ARRAY_BOUNDS_EXCEEDEDEXCEPTION_BREAKPOINTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_FLT_INEXACT_RESULTEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_FLT_OVERFLOWEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_UNDERFLOWEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_INT_OVERFLOWEXCEPTION_NONCONTINUABLE_EXCEPTIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_SINGLE_STEPunknownBacktrace[%2d] rip=%p %s+%#x %s:%d
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: http://www.vmware.com/0/
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: Software\VMware, Inc.\VMware SVGA
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: VMware, Inc.1
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: VMware, Inc.0
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: ProductNameVMware SVGA 3D`
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: LegalCopyrightCopyright (C) 1998-2021 VMware, Inc.Z

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\recibo.exe

Code function: 0_2_732A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_732A1BFF

Source: C:\Users\user\Desktop\recibo.exe

0_2_0040352D

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Found malware configuration

Source: 00000000.00000002.761876778.0000000002A50000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1EX-TfU9P_N_SsQAtVtT8-t2zzMXng6WS"}

Multi AV Scanner detection for submitted file

Source: recibo.exe	Virustotal: Detection: 55%	Perma Link
Source: recibo.exe	Metadefender: Detection: 25%	Perma Link
Source: recibo.exe	ReversingLabs: Detection: 50%

Uses 32bit PE files

Source: recibo.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\recibo.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\dado

Jump to behavior

Source: recibo.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: lgpllibs.pdb source: lgpllibs.dll.0.dr
Source:	Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\devapi\Win8Beta\x64\bin\vm3ddevapi64-debug.pdb source: vm3ddevapi64-debug.dll.0.dr
Source:	Binary string: C:\dev\UCDE\hallasan_gothamjarvis_4\ThirdParty\POG\HP.SmartApp.UCDE.Win32.Lib\HP.SmartApp.UCDE.Win32.Exe\obj\x64\Release\HPSUPD-Win32Exe.pdb source: HPSUPD-Win32Exe.exe.0.dr

Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local\Temp\FLADBARMEDES.tub	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local\Temp\Rekorddage.Res7	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1EX-TfU9P_N_SsQAtVtT8-t2zzMXng6WS

Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: lgpllibs.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: lgpllibs.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: lgpllibs.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: lgpllibs.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: recibo.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: lgpllibs.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: iso_639-3.xml.0.dr	String found in binary or memory: http://www.sil.org/iso639-3/
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://www.vmware.com/0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: http://www.vmware.com/0/
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: lgpllibs.dll.0.dr	String found in binary or memory: https://mozilla.org0
Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vm3ddevapi64-debug.dll.0.dr, lgpllibs.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\recibo.exe

0_2_004056DE

Uses 32bit PE files

Source: recibo.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

PE file does not import any functions

Source: HPSUPD-Win32Exe.exe.0.dr

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: recibo.exe, 00000000.00000002.761476867.000000000040A000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamevm3ddevapi64-release.dll> vs recibo.exe

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\recibo.exe

0_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_732A1BFF	0_2_732A1BFF

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\recibo.exe

Process Stats: CPU usage > 98%

Source: recibo.exe	Virustotal: Detection: 55%
Source: recibo.exe	Metadefender: Detection: 25%
Source: recibo.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\recibo.exe

File read: C:\Users\user\Desktop\recibo.exe

Jump to behavior

Source: recibo.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\recibo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\recibo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\recibo.exe

0_2_0040352D

Source: C:\Users\user\Desktop\recibo.exe

File created: C:\Users\user\AppData\Local\Temp\nst55CD.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/11@0/0

Source: C:\Users\user\Desktop\recibo.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\recibo.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\recibo.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: C:\Users\user\Desktop\recibo.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\dado

Jump to behavior

Source: recibo.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: lgpllibs.pdb source: lgpllibs.dll.0.dr
Source:	Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\devapi\Win8Beta\x64\bin\vm3ddevapi64-debug.pdb source: vm3ddevapi64-debug.dll.0.dr
Source:	Binary string: C:\dev\UCDE\hallasan_gothamjarvis_4\ThirdParty\POG\HP.SmartApp.UCDE.Win32.Lib\HP.SmartApp.UCDE.Win32.Exe\obj\x64\Release\HPSUPD-Win32Exe.pdb source: HPSUPD-Win32Exe.exe.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.761876778.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\recibo.exe

Code function: 0_2_732A30C0 push eax; ret

0_2_732A30EE

PE file contains sections with non-standard names

Source: vm3ddevapi64-debug.dll.0.dr	Static PE information: section name: .didat
Source: vm3ddevapi64-debug.dll.0.dr	Static PE information: section name: .gehcont
Source: vm3ddevapi64-debug.dll.0.dr	Static PE information: section name: _RDATA
Source: lgpllibs.dll.0.dr	Static PE information: section name: .00cfg

Binary contains a suspicious time stamp

Source: HPSUPD-Win32Exe.exe.0.dr

Static PE information: 0x8CC4634B [Wed Nov 2 06:25:15 2044 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\recibo.exe

Code function: 0_2_732A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_732A1BFF

Drops PE files

Source: C:\Users\user\Desktop\recibo.exe	File created: C:\Users\user\AppData\Local\Temp\HPSUPD-Win32Exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\recibo.exe	File created: C:\Users\user\AppData\Local\Temp\nso5699.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\recibo.exe	File created: C:\Users\user\AppData\Local\Temp\vm3ddevapi64-debug.dll	Jump to dropped file
Source: C:\Users\user\Desktop\recibo.exe	File created: C:\Users\user\AppData\Local\Temp\lgpllibs.dll	Jump to dropped file

Source: C:\Users\user\Desktop\recibo.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\recibo.exe

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\recibo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\HPSUPD-Win32Exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\recibo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vm3ddevapi64-debug.dll	Jump to dropped file
Source: C:\Users\user\Desktop\recibo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lgpllibs.dll	Jump to dropped file

Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\recibo.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\recibo.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\recibo.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local\Temp\FLADBARMEDES.tub	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local\Temp\Rekorddage.Res7	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\recibo.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: CompanyNameVMware, Inc.j!
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: noreply@vmware.com0
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: http://www.vmware.com/0
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: FileDescriptionVMware SVGA 3D Device API Module:
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: VMware, Inc.
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: VMware, Inc.1!0
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: ?d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\lib\raster\bits2pixels.cd:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\lib\umlib\log.cC:\vm3dum_log\vm3dum%s_%d-%d.logwtC:\vm3dum_log\vm3dum*.log%.4d-%.2d-%.2dT%.2d:%.2d:%.2d.%.4d\| Thread ID: %d \|%s%sDXUM%s: Software\VMware, Inc.\VMware SVGADebugSearchPathEXCEPTION_ACCESS_VIOLATIONEXCEPTION_ARRAY_BOUNDS_EXCEEDEDEXCEPTION_BREAKPOINTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_FLT_INEXACT_RESULTEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_FLT_OVERFLOWEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_UNDERFLOWEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_INT_OVERFLOWEXCEPTION_NONCONTINUABLE_EXCEPTIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_SINGLE_STEPunknownBacktrace[%2d] rip=%p %s+%#x %s:%d
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: http://www.vmware.com/0/
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: Software\VMware, Inc.\VMware SVGA
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: VMware, Inc.1
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: VMware, Inc.0
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: ProductNameVMware SVGA 3D`
Source: vm3ddevapi64-debug.dll.0.dr	Binary or memory string: LegalCopyrightCopyright (C) 1998-2021 VMware, Inc.Z

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\recibo.exe

Code function: 0_2_732A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_732A1BFF

Source: C:\Users\user\Desktop\recibo.exe

0_2_0040352D

ID:	635097
Product:	CloudBasic
Start time:	13:15:13
Start date:	27.05.2022
Sample:	recibo.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	4680729edca682d1b6de8cf875bbfdf5
SHA1:	debf5126050330ecbfc29582d979101cd557dd42
SHA256:	e18032a74c8138c907ab2b6937ce66a4483a85e89b05a25153499efee4e85898
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Adventure_19.bmp	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3	8D61CCB44C962D7831FB6703B4AF623D	2BFDC667151057B3A42CDD22F9EB0E5AB0B0EF3C	1EFFB5A4A46B05C024518546D4C8BBB45AD3496590E3E86AF533CF31C61512F4
C:\Users\user\AppData\Local\Temp\FLADBARMEDES.tub	data	0DBDB94BF9F058978C90852607F98DBD	DCA1907D14891499D855DEB23BF461799C7ED0C4	11D6302EBD701AD527EC6358E33FC578AE0D88AC9A43AC03F4AD5276B186538E
C:\Users\user\AppData\Local\Temp\HPSUPD-Win32Exe.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	D600D4F40A2BE641991044EE0814BFA4	3BDEF3488C28D43D285C47F46B82B980A8F41CD8	B0D12A7AADF51B02D52E9E88295E6E6606F68C1508C8D9323B6549AA20EC82AA
C:\Users\user\AppData\Local\Temp\Rekorddage.Res7	ASCII text, with very long lines, with no line terminators	6001AAC06A6EB2B760F3DC4BE1B2D3F8	A88A72756DB347DE9507495A9F6D5E521EB5FB42	0E1AB3CD23AE04019CAEBE185924D859E7017E933F824B1CBEB50FAD08B0CC76
C:\Users\user\AppData\Local\Temp\emoji-body-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	F492568998D5783731D50D7CA73AC7A3	E87B96367BDB02176067336A1CCE3B32EBDCB3B2	7A08D7B1CC724A453A0C3EB2F36369D7FD6AC6BD965CE0B4D075D570ED369A9B
C:\Users\user\AppData\Local\Temp\iso_639-3.xml	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators	DCAD3B0F729144CE9EE9A6006D9C3E74	3EEF5F61BEF834B7089A87423D128990A1065E81	D8AB9C2641481645A8ACF875FFA3E3CB271D2CD946691DD8E0BD48513FFF1370
C:\Users\user\AppData\Local\Temp\lgpllibs.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	9B623087B905D8FE157BDB7EC85009A8	4B6DD4C0292558513A840B40A991533735D55E02	7FA4C9EA4BE0088D6D311BD93FA65BAF8828DA32A2FD4BF8CE0EADE552D46246
C:\Users\user\AppData\Local\Temp\microphone-disabled-symbolic.svg	SVG Scalable Vector Graphics image	BAE5EB7B918D568E955B8885EEB5DB5A	FC4421C6A019D0147A13B08CBB2F0720F49E17C3	273F11F9F8BD84F2A32E0CC857E21050A9A9C7713F33D9A220991DC232C470BA
C:\Users\user\AppData\Local\Temp\nso5699.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\printer-symbolic.svg	SVG Scalable Vector Graphics image	A4ACDD85E11EA101F3BB4B5BEC3382F0	2DC81694D5D3C403BF696B1796385D2F64C40D77	AD87999B06B9C8035CCAC8EF29D54C9E00055EE9E2DBDD9B7BA24CCF56C471E6
C:\Users\user\AppData\Local\Temp\vm3ddevapi64-debug.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	9ECB2FA510DCDF4BFB06DC80A83294BD	65E0CEC428D010B94D81BA784EA709EBA598A1CD	865868E3BE461332134EFBBA9F1D8AAA5E29A0C8AD3F5A2AC47311F47D4CFD62

Windows Analysis Report
recibo.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report recibo.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
recibo.exe