yunsip | 84e808c344c3372813b7e40a7e6c35da08f21ceaf7bd6520cc86697e39ca5b21 | Triage

Analysis

max time kernel
126s
max time network
125s
platform
windows7_x64
resource
win7v20201028
submitted
08-11-2020 17:58

Sharing

Report Analysis Logs

General

Target

84e808c344c3372813b7e40a7e6c35da08f21ceaf7bd6520cc86697e39ca5b21.dll
Size

678KB
MD5

f257dfff7e798c1d87e8be2aa68f1885
SHA1

5026ef7b538a320cdffdb734638769172a95dd30
SHA256

84e808c344c3372813b7e40a7e6c35da08f21ceaf7bd6520cc86697e39ca5b21
SHA512

6a119a97316c4303d9915fc63b04ff035834af55f5928bd5c8a085522b55ff8eb217f0d90b0219a2110b964e5f0cc1d256d0f99ea63c28b5a38464b54be95820

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1664 wrote to memory of 2032	1664	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 2032	1664	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 2032	1664	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 2032	1664	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 2032	1664	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 2032	1664	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 2032	1664	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\84e808c344c3372813b7e40a7e6c35da08f21ceaf7bd6520cc86697e39ca5b21.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\84e808c344c3372813b7e40a7e6c35da08f21ceaf7bd6520cc86697e39ca5b21.dll,#1
2⤵
PID:2032

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2032-0-0x0000000000000000-mapping.dmp

Download