yunsip | 185c8c30d07b25f9a74e9b9f4c12b86cda0a6325a52fbe6204d4d7d8a0b548b9 | Triage

Analysis

max time kernel
3s
max time network
11s
platform
windows7_x64
resource
win7v20210410
submitted
13-05-2021 01:49

Sharing

Report Analysis Logs

General

Target

185c8c30d07b25f9a74e9b9f4c12b86cda0a6325a52fbe6204d4d7d8a0b548b9.dll
Size

732KB
MD5

fcf6c48517a1c5674c2f6e19be5a42b6
SHA1

30e6581def4a7a2047e36621a31972e437bf0402
SHA256

185c8c30d07b25f9a74e9b9f4c12b86cda0a6325a52fbe6204d4d7d8a0b548b9
SHA512

3b2303b55510d515d0831371e6979ab3cfb455fd8a18a3a0b2e4d5b27a2fb5e7156328dcd92691f1396be8799cc01f7e220b542d2d29fe8de02573160a286ed0

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1084 wrote to memory of 1196	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1196	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1196	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1196	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1196	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1196	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1196	1084	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\185c8c30d07b25f9a74e9b9f4c12b86cda0a6325a52fbe6204d4d7d8a0b548b9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\185c8c30d07b25f9a74e9b9f4c12b86cda0a6325a52fbe6204d4d7d8a0b548b9.dll,#1
2⤵
PID:1196

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-60-0x0000000000000000-mapping.dmp

Download
memory/1196-61-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download