yunsip | e02d049354d32611057d3616a86d780eeb926d978946be314b9572fd60e4b0df | Triage

Analysis

max time kernel
12s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
08-11-2020 17:57

Sharing

Report Analysis Logs

General

Target

e02d049354d32611057d3616a86d780eeb926d978946be314b9572fd60e4b0df.dll
Size

686KB
MD5

0c4f09b9966eea989bec74539b49d44c
SHA1

732c9675363859e9a55f5270ae6e5be624cfbf0d
SHA256

e02d049354d32611057d3616a86d780eeb926d978946be314b9572fd60e4b0df
SHA512

254f8ef153cfb78f8f3ac3000ffbd9c6ec488994383be0b589e9778448f6118d997589b61a29f86338b0545480ea9c4dce7c4022662461fdbe161796df92d0f2

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3636 wrote to memory of 1036	3636	rundll32.exe	rundll32.exe
PID 3636 wrote to memory of 1036	3636	rundll32.exe	rundll32.exe
PID 3636 wrote to memory of 1036	3636	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e02d049354d32611057d3616a86d780eeb926d978946be314b9572fd60e4b0df.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e02d049354d32611057d3616a86d780eeb926d978946be314b9572fd60e4b0df.dll,#1
2⤵
PID:1036

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1036-0-0x0000000000000000-mapping.dmp

Download