yunsip | 9def52727eff7de38a787a44668f9e612012bb7f31c1d3a741aa974d8b95e954 | Triage

Analysis

max time kernel
12s
max time network
115s
platform
windows10_x64
resource
win10v20201028
submitted
08-11-2020 17:55

Sharing

Report Analysis Logs

General

Target

9def52727eff7de38a787a44668f9e612012bb7f31c1d3a741aa974d8b95e954.dll
Size

731KB
MD5

fe5e7f1264638681422ae9c210d95e58
SHA1

2d925ac39857430fcb5f160fd442dc5546dcbfe1
SHA256

9def52727eff7de38a787a44668f9e612012bb7f31c1d3a741aa974d8b95e954
SHA512

cd70e420390a3e5d218d457386d0dc34f63ad0863eabcfe7c7e2f110f71f60a6f64e8fa50355e8176a62c0f2c10b7b1bba398c9c7647223a12aa7e9ee4c62b33

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4076 wrote to memory of 1872	4076	rundll32.exe	rundll32.exe
PID 4076 wrote to memory of 1872	4076	rundll32.exe	rundll32.exe
PID 4076 wrote to memory of 1872	4076	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9def52727eff7de38a787a44668f9e612012bb7f31c1d3a741aa974d8b95e954.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9def52727eff7de38a787a44668f9e612012bb7f31c1d3a741aa974d8b95e954.dll,#1
2⤵
PID:1872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1872-0-0x0000000000000000-mapping.dmp

Download