Loading ...

Play interactive tourEdit tour

Analysis Report Betaling_advies.exe

Overview

General Information

Sample Name:Betaling_advies.exe
Analysis ID:383925
MD5:5011945cdee260fb8688b06568d007b3
SHA1:c0e27a58017d0cf737b86ff3ced063d120f7badd
SHA256:96bd9ed85e93c31a337a92e99fd6e1966f68f1a28fef43a21da725c36405988c
Tags:exeFormbookgeoNLD
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Betaling_advies.exe (PID: 6992 cmdline: 'C:\Users\user\Desktop\Betaling_advies.exe' MD5: 5011945CDEE260FB8688B06568D007B3)
    • Betaling_advies.exe (PID: 7028 cmdline: 'C:\Users\user\Desktop\Betaling_advies.exe' MD5: 5011945CDEE260FB8688B06568D007B3)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 6548 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 5804 cmdline: /c del 'C:\Users\user\Desktop\Betaling_advies.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.werealestatephotography.com/hw6d/"], "decoy": ["medicare101now.com", "danahillathletics.com", "realjobexpert.com", "boulderhalle-hamburg.com", "idoweddinghair.com", "awdcompanies.com", "thevillaflora.com", "neutrasystems.com", "allwest-originals.com", "designtehengsg.com", "thenewyorker.computer", "ladybugtubs.com", "silina-beauty24.com", "mifangtu.com", "fashionbranddeveloper.com", "istanbulhookah.com", "askyoyo.com", "osaka-computer.net", "conegenie.com", "agteless.com", "carsoncredittx.com", "wellalytics.com", "onjulitrading.com", "thelocallawnmen.com", "loanascustomboutique.com", "ohcaftanmycaftan.com", "ardor-fitness.com", "benzinhayvancilik.com", "apthaiproperty.com", "maxim.technology", "dfch18.com", "davaoaffordablecondo.com", "sueshemp.com", "missmaltese.com", "lakecountrydems.com", "lastminuteminister.com", "sofiascelebrations.com", "socialaspecthouston.com", "rechnung.pro", "kathyscrabhouse.com", "themusasoficial.com", "reversemortgageloanmiami.com", "vrventurebsp.com", "whatalode.com", "xh03.net", "qiqihao.site", "specstrii.com", "organicfarmteam.com", "codebinnovations.net", "kizunaservice.com", "lboclkchain.com", "frorool.com", "dpok.network", "desafogados.com", "vestblue.net", "forguyshere.com", "recordprosperity.info", "theballoonbirds.com", "adityabirla-loan.com", "midgex.info", "qishuxia.com", "panopticop.com", "gd-kangda.com", "hotelbrainclub.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Betaling_advies.exe.2680000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Betaling_advies.exe.2680000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.Betaling_advies.exe.2680000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Betaling_advies.exe.2680000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.Betaling_advies.exe.2680000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.specstrii.com/hw6d/?DnbLu=IiUUmeNwmzZIwBY6jv8olF4RAcLcRfzkTrlXtYyMQXecYFYW1rp8TEFuPJqz5eLrlk+J&EzuxZl=3fX4qpLxXJuAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.werealestatephotography.com/hw6d/"], "decoy": ["medicare101now.com", "danahillathletics.com", "realjobexpert.com", "boulderhalle-hamburg.com", "idoweddinghair.com", "awdcompanies.com", "thevillaflora.com", "neutrasystems.com", "allwest-originals.com", "designtehengsg.com", "thenewyorker.computer", "ladybugtubs.com", "silina-beauty24.com", "mifangtu.com", "fashionbranddeveloper.com", "istanbulhookah.com", "askyoyo.com", "osaka-computer.net", "conegenie.com", "agteless.com", "carsoncredittx.com", "wellalytics.com", "onjulitrading.com", "thelocallawnmen.com", "loanascustomboutique.com", "ohcaftanmycaftan.com", "ardor-fitness.com", "benzinhayvancilik.com", "apthaiproperty.com", "maxim.technology", "dfch18.com", "davaoaffordablecondo.com", "sueshemp.com", "missmaltese.com", "lakecountrydems.com", "lastminuteminister.com", "sofiascelebrations.com", "socialaspecthouston.com", "rechnung.pro", "kathyscrabhouse.com", "themusasoficial.com", "reversemortgageloanmiami.com", "vrventurebsp.com", "whatalode.com", "xh03.net", "qiqihao.site", "specstrii.com", "organicfarmteam.com", "codebinnovations.net", "kizunaservice.com", "lboclkchain.com", "frorool.com", "dpok.network", "desafogados.com", "vestblue.net", "forguyshere.com", "recordprosperity.info", "theballoonbirds.com", "adityabirla-loan.com", "midgex.info", "qishuxia.com", "panopticop.com", "gd-kangda.com", "hotelbrainclub.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Betaling_advies.exeReversingLabs: Detection: 14%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 7.2.colorcpl.exe.4bd7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.colorcpl.exe.2972508.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.Betaling_advies.exe.2680000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.Betaling_advies.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.Betaling_advies.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Betaling_advies.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: C:\xampp\htdocs\Cryptor\74d81a217a414a2aaee1ac9ce14525a2\Loader\Loader\Release\22ct3mhbr.pdb source: Betaling_advies.exe, 00000000.00000002.654453331.0000000000788000.00000004.00020000.sdmp, 571kzkbal.dll.0.dr
          Source: Binary string: colorcpl.pdbGCTL source: Betaling_advies.exe, 00000001.00000002.692704063.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: colorcpl.pdb source: Betaling_advies.exe, 00000001.00000002.692704063.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.666885783.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Betaling_advies.exe, 00000000.00000003.646799474.000000001EEB0000.00000004.00000001.sdmp, Betaling_advies.exe, 00000001.00000002.692105049.0000000000B2F000.00000040.00000001.sdmp, colorcpl.exe, 00000007.00000002.910878162.00000000047BF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Betaling_advies.exe, colorcpl.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.666885783.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 52.128.23.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 52.128.23.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 52.128.23.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 156.241.53.253:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 156.241.53.253:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 156.241.53.253:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.werealestatephotography.com/hw6d/
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=9ueW5jgNjqHYG2FKt2LGoCq6SuP7mnM61J0YxzvwfvA6U9wxZN+9uCYbtAS/FF4JJope&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.allwest-originals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=g+1Vjsk4w8x2RD/Kt8Hxup0r2HreN3Gf6VbT6qUlKeSViUJ1r397pmudv9cb4ekjB+95&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.kathyscrabhouse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=Vm8u5YrjxPUHM0A3kvgMiq/IEeemHw6XN/VHMXEVDOFWtOJ88rOTM1/2OfHHahCysW3o&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.ladybugtubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=D7dtfgb1ASpTWXzDTTkBm63TDYSh3Sz8xx3t4TS2wXC5rygslUZX2+E35rBVQjv7JKAU&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.organicfarmteam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=eQ0CjYjVQ3ZWFLT9z9t5AWcWjesy46k9o3/PiW4fNWDoBcoO4PdNNvWWcbIpStJgY1Xn&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.neutrasystems.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=IiUUmeNwmzZIwBY6jv8olF4RAcLcRfzkTrlXtYyMQXecYFYW1rp8TEFuPJqz5eLrlk+J&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.specstrii.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=k1LpsGxm5HumkAXpmo5e4u//lFYytVV7DtC0wIWjSrCd2GK6ua7omZNXnIaR8+O4hW3P&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.boulderhalle-hamburg.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=Y1unV92ZJUSuuBS+wJtUBQ3HA2/A73jU4dZUG/XKFhicVa7REK6SIV0eE0B/9G03nb8G&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.thenewyorker.computerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=JJCdylcTzsLZbxD+F44msifm3t5O58VGmPPtm/HjqScxgR1v9JyEBvOVGIsgPNAdlWCx&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.osaka-computer.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=um+iqA/SlswPLY/3czDk0wl6oY0PgWYbosSPlOYlzmcZrAL5djGLa7ExvPa80BRt3GVX&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.werealestatephotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=PD6zFQZ0feRnIFnqRgwh7WYr9HBCLrLQfeEKpwQ3SsDBQ385jeUvmpjltj5zrHZAx7on&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.dfch18.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.54.117.218 198.54.117.218
          Source: Joe Sandbox ViewIP Address: 52.128.23.153 52.128.23.153
          Source: Joe Sandbox ViewASN Name: DOSARRESTUS DOSARRESTUS
          Source: Joe Sandbox ViewASN Name: NOCIXUS NOCIXUS
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=9ueW5jgNjqHYG2FKt2LGoCq6SuP7mnM61J0YxzvwfvA6U9wxZN+9uCYbtAS/FF4JJope&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.allwest-originals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=g+1Vjsk4w8x2RD/Kt8Hxup0r2HreN3Gf6VbT6qUlKeSViUJ1r397pmudv9cb4ekjB+95&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.kathyscrabhouse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=Vm8u5YrjxPUHM0A3kvgMiq/IEeemHw6XN/VHMXEVDOFWtOJ88rOTM1/2OfHHahCysW3o&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.ladybugtubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=D7dtfgb1ASpTWXzDTTkBm63TDYSh3Sz8xx3t4TS2wXC5rygslUZX2+E35rBVQjv7JKAU&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.organicfarmteam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=eQ0CjYjVQ3ZWFLT9z9t5AWcWjesy46k9o3/PiW4fNWDoBcoO4PdNNvWWcbIpStJgY1Xn&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.neutrasystems.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=IiUUmeNwmzZIwBY6jv8olF4RAcLcRfzkTrlXtYyMQXecYFYW1rp8TEFuPJqz5eLrlk+J&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.specstrii.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=k1LpsGxm5HumkAXpmo5e4u//lFYytVV7DtC0wIWjSrCd2GK6ua7omZNXnIaR8+O4hW3P&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.boulderhalle-hamburg.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=Y1unV92ZJUSuuBS+wJtUBQ3HA2/A73jU4dZUG/XKFhicVa7REK6SIV0eE0B/9G03nb8G&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.thenewyorker.computerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=JJCdylcTzsLZbxD+F44msifm3t5O58VGmPPtm/HjqScxgR1v9JyEBvOVGIsgPNAdlWCx&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.osaka-computer.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=um+iqA/SlswPLY/3czDk0wl6oY0PgWYbosSPlOYlzmcZrAL5djGLa7ExvPa80BRt3GVX&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.werealestatephotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=PD6zFQZ0feRnIFnqRgwh7WYr9HBCLrLQfeEKpwQ3SsDBQ385jeUvmpjltj5zrHZAx7on&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.dfch18.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.allwest-originals.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 10:39:11 GMTServer: Apache/2.4.46 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000004.00000000.655043939.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: colorcpl.exe, 00000007.00000002.911472356.0000000004D52000.00000004.00000001.sdmpString found in binary or memory: http://www.litespeedtech.com/error-page
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: colorcpl.exe, 00000007.00000002.911472356.0000000004D52000.00000004.00000001.sdmpString found in binary or memory: https://www.werealestatephotography.com/hw6d/?DnbLu=um
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_004181B0 NtCreateFile,1_2_004181B0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00418260 NtReadFile,1_2_00418260
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_004182E0 NtClose,1_2_004182E0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00418390 NtAllocateVirtualMemory,1_2_00418390
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_004181AA NtCreateFile,1_2_004181AA
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_004182DA NtClose,1_2_004182DA
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A798F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A798F0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A79860
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79840 NtDelayExecution,LdrInitializeThunk,1_2_00A79840
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A799A0 NtCreateSection,LdrInitializeThunk,1_2_00A799A0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A79910
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79A20 NtResumeThread,LdrInitializeThunk,1_2_00A79A20
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A79A00
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79A50 NtCreateFile,LdrInitializeThunk,1_2_00A79A50
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A795D0 NtClose,LdrInitializeThunk,1_2_00A795D0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79540 NtReadFile,LdrInitializeThunk,1_2_00A79540
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A796E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A796E0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A79660
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A797A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A797A0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A79780
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79FE0 NtCreateMutant,LdrInitializeThunk,1_2_00A79FE0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A79710
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A798A0 NtWriteVirtualMemory,1_2_00A798A0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79820 NtEnumerateKey,1_2_00A79820
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A7B040 NtSuspendThread,1_2_00A7B040
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A799D0 NtCreateProcessEx,1_2_00A799D0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79950 NtQueueApcThread,1_2_00A79950
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79A80 NtOpenDirectoryObject,1_2_00A79A80
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79A10 NtQuerySection,1_2_00A79A10
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A7A3B0 NtGetContextThread,1_2_00A7A3B0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79B00 NtSetValueKey,1_2_00A79B00
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A795F0 NtQueryInformationFile,1_2_00A795F0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79520 NtWaitForSingleObject,1_2_00A79520
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A7AD30 NtSetContextThread,1_2_00A7AD30
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79560 NtWriteFile,1_2_00A79560
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A796D0 NtCreateKey,1_2_00A796D0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79610 NtEnumerateValueKey,1_2_00A79610
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79670 NtQueryInformationProcess,1_2_00A79670
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79650 NtQueryValueKey,1_2_00A79650
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79730 NtQueryVirtualMemory,1_2_00A79730
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A7A710 NtOpenProcessToken,1_2_00A7A710
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79760 NtOpenProcess,1_2_00A79760
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79770 NtSetInformationFile,1_2_00A79770
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A7A770 NtOpenThread,1_2_00A7A770
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_004181B0 NtCreateFile,1_1_004181B0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00418260 NtReadFile,1_1_00418260
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_004182E0 NtClose,1_1_004182E0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00418390 NtAllocateVirtualMemory,1_1_00418390
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_004181AA NtCreateFile,1_1_004181AA
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_004182DA NtClose,1_1_004182DA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709540 NtReadFile,LdrInitializeThunk,7_2_04709540
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047095D0 NtClose,LdrInitializeThunk,7_2_047095D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04709660
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709650 NtQueryValueKey,LdrInitializeThunk,7_2_04709650
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047096E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_047096E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047096D0 NtCreateKey,LdrInitializeThunk,7_2_047096D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709710 NtQueryInformationToken,LdrInitializeThunk,7_2_04709710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709FE0 NtCreateMutant,LdrInitializeThunk,7_2_04709FE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709780 NtMapViewOfSection,LdrInitializeThunk,7_2_04709780
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709860 NtQuerySystemInformation,LdrInitializeThunk,7_2_04709860
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709840 NtDelayExecution,LdrInitializeThunk,7_2_04709840
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_04709910
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047099A0 NtCreateSection,LdrInitializeThunk,7_2_047099A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709A50 NtCreateFile,LdrInitializeThunk,7_2_04709A50
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709560 NtWriteFile,7_2_04709560
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0470AD30 NtSetContextThread,7_2_0470AD30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709520 NtWaitForSingleObject,7_2_04709520
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047095F0 NtQueryInformationFile,7_2_047095F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709670 NtQueryInformationProcess,7_2_04709670
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709610 NtEnumerateValueKey,7_2_04709610
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0470A770 NtOpenThread,7_2_0470A770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709770 NtSetInformationFile,7_2_04709770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709760 NtOpenProcess,7_2_04709760
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709730 NtQueryVirtualMemory,7_2_04709730
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0470A710 NtOpenProcessToken,7_2_0470A710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047097A0 NtUnmapViewOfSection,7_2_047097A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0470B040 NtSuspendThread,7_2_0470B040
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709820 NtEnumerateKey,7_2_04709820
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047098F0 NtReadVirtualMemory,7_2_047098F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047098A0 NtWriteVirtualMemory,7_2_047098A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709950 NtQueueApcThread,7_2_04709950
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047099D0 NtCreateProcessEx,7_2_047099D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709A20 NtResumeThread,7_2_04709A20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709A10 NtQuerySection,7_2_04709A10
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709A00 NtProtectVirtualMemory,7_2_04709A00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709A80 NtOpenDirectoryObject,7_2_04709A80
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709B00 NtSetValueKey,7_2_04709B00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0470A3B0 NtGetContextThread,7_2_0470A3B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02548260 NtReadFile,7_2_02548260
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_025482E0 NtClose,7_2_025482E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02548390 NtAllocateVirtualMemory,7_2_02548390
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_025481B0 NtCreateFile,7_2_025481B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_025482DA NtClose,7_2_025482DA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_025481AA NtCreateFile,7_2_025481AA
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_004046A70_2_004046A7
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00408C4B1_2_00408C4B
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00408C501_2_00408C50
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_0041BC561_2_0041BC56
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_0041B4961_2_0041B496
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_0041CD311_2_0041CD31
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A620A01_2_00A620A0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B020A81_2_00B020A8
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4B0901_2_00A4B090
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B028EC1_2_00B028EC
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B0E8241_2_00B0E824
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF10021_2_00AF1002
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A541201_2_00A54120
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3F9001_2_00A3F900
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B022AE1_2_00B022AE
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AEFA2B1_2_00AEFA2B
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6EBB01_2_00A6EBB0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF03DA1_2_00AF03DA
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFDBD21_2_00AFDBD2
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B02B281_2_00B02B28
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4841F1_2_00A4841F
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFD4661_2_00AFD466
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A625811_2_00A62581
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4D5E01_2_00A4D5E0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B025DD1_2_00B025DD
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A30D201_2_00A30D20
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B02D071_2_00B02D07
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B01D551_2_00B01D55
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B02EF71_2_00B02EF7
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A56E301_2_00A56E30
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFD6161_2_00AFD616
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B01FF11_2_00B01FF1
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B0DFCE1_2_00B0DFCE
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00408C4B1_1_00408C4B
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00408C501_1_00408C50
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_0041BC561_1_0041BC56
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_0041B4961_1_0041B496
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_0041CD311_1_0041CD31
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00402D871_1_00402D87
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00402D901_1_00402D90
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00402FB01_1_00402FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478D4667_2_0478D466
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D841F7_2_046D841F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04791D557_2_04791D55
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C0D207_2_046C0D20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04792D077_2_04792D07
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046DD5E07_2_046DD5E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047925DD7_2_047925DD
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F25817_2_046F2581
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E6E307_2_046E6E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478D6167_2_0478D616
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04792EF77_2_04792EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04791FF17_2_04791FF1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047810027_2_04781002
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047928EC7_2_047928EC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F20A07_2_046F20A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047920A87_2_047920A8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046DB0907_2_046DB090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E41207_2_046E4120
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CF9007_2_046CF900
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047922AE7_2_047922AE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04792B287_2_04792B28
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478DBD27_2_0478DBD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FEBB07_2_046FEBB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02532FB07_2_02532FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02538C507_2_02538C50
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02538C4B7_2_02538C4B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0254B4967_2_0254B496
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0254CD317_2_0254CD31
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02532D907_2_02532D90
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02532D877_2_02532D87
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: String function: 00A3B150 appears 45 times
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: String function: 0041A090 appears 38 times
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 046CB150 appears 35 times
          Source: Betaling_advies.exe, 00000000.00000003.651276724.000000001F15F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Betaling_advies.exe
          Source: Betaling_advies.exe, 00000001.00000002.692105049.0000000000B2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Betaling_advies.exe
          Source: Betaling_advies.exe, 00000001.00000002.692711929.0000000000D73000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs Betaling_advies.exe
          Source: Betaling_advies.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@15/9
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004041E5
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,0_2_004020A6
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_01
          Source: C:\Users\user\Desktop\Betaling_advies.exeFile created: C:\Users\user\AppData\Local\Temp\nsx3A69.tmpJump to behavior
          Source: Betaling_advies.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Betaling_advies.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Betaling_advies.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Betaling_advies.exeReversingLabs: Detection: 14%
          Source: C:\Users\user\Desktop\Betaling_advies.exeFile read: C:\Users\user\Desktop\Betaling_advies.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Betaling_advies.exe 'C:\Users\user\Desktop\Betaling_advies.exe'
          Source: C:\Users\user\Desktop\Betaling_advies.exeProcess created: C:\Users\user\Desktop\Betaling_advies.exe 'C:\Users\user\Desktop\Betaling_advies.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Betaling_advies.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Betaling_advies.exeProcess created: C:\Users\user\Desktop\Betaling_advies.exe 'C:\Users\user\Desktop\Betaling_advies.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Betaling_advies.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Betaling_advies.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: Binary string: C:\xampp\htdocs\Cryptor\74d81a217a414a2aaee1ac9ce14525a2\Loader\Loader\Release\22ct3mhbr.pdb source: Betaling_advies.exe, 00000000.00000002.654453331.0000000000788000.00000004.00020000.sdmp, 571kzkbal.dll.0.dr
          Source: Binary string: colorcpl.pdbGCTL source: Betaling_advies.exe, 00000001.00000002.692704063.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: colorcpl.pdb source: Betaling_advies.exe, 00000001.00000002.692704063.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.666885783.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Betaling_advies.exe, 00000000.00000003.646799474.000000001EEB0000.00000004.00000001.sdmp, Betaling_advies.exe, 0000000