yunsip | 448586be99ca4baf11c39f0c49e126c5b05c001c540037d8937a3e2f19c96e5a | Triage

Analysis

max time kernel
108s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
08-11-2020 17:54

Sharing

Report Analysis Logs

General

Target

448586be99ca4baf11c39f0c49e126c5b05c001c540037d8937a3e2f19c96e5a.dll
Size

687KB
MD5

051056df506db15878cc5b08aa7967d2
SHA1

3bc514d56a33faea8b560bb5e722d115f5c59a41
SHA256

448586be99ca4baf11c39f0c49e126c5b05c001c540037d8937a3e2f19c96e5a
SHA512

4a1ab7ac692a8a2ff9a6630b46fb0d74dd34fe85d3141a1fb50701cd2ced9e4dd1f3df18d5d53b4851965209909dda891d83c7e2ccded7702457dd98829e0c33

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3980 wrote to memory of 3160	3980	rundll32.exe	rundll32.exe
PID 3980 wrote to memory of 3160	3980	rundll32.exe	rundll32.exe
PID 3980 wrote to memory of 3160	3980	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\448586be99ca4baf11c39f0c49e126c5b05c001c540037d8937a3e2f19c96e5a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\448586be99ca4baf11c39f0c49e126c5b05c001c540037d8937a3e2f19c96e5a.dll,#1
2⤵
PID:3160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3160-0-0x0000000000000000-mapping.dmp

Download