yunsip | f2e59e506031b25131351ca7e7fac01c463fc2391e7cc292ede678681096ef29 | Triage

Analysis

max time kernel
120s
max time network
121s
platform
windows10_x64
resource
win10v20210410
submitted
13-05-2021 02:17

Sharing

Report Analysis Logs

General

Target

f2e59e506031b25131351ca7e7fac01c463fc2391e7cc292ede678681096ef29.dll
Size

348KB
MD5

c58564905bc79cfa583cb8b6e2cd3d7b
SHA1

10439eb07acccb00f9a10aee802fce58295f3da0
SHA256

f2e59e506031b25131351ca7e7fac01c463fc2391e7cc292ede678681096ef29
SHA512

edec27d2e10bbaa3070a063a0289c986d26a5f5b8b0d2354169eefeffd63183c64470a7a2f132d11f557846931bc717e63fdb27933b06b0a77f16a8c884bbab8

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3560 wrote to memory of 3148	3560	rundll32.exe	rundll32.exe
PID 3560 wrote to memory of 3148	3560	rundll32.exe	rundll32.exe
PID 3560 wrote to memory of 3148	3560	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f2e59e506031b25131351ca7e7fac01c463fc2391e7cc292ede678681096ef29.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f2e59e506031b25131351ca7e7fac01c463fc2391e7cc292ede678681096ef29.dll,#1
2⤵
PID:3148

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3148-114-0x0000000000000000-mapping.dmp

Download