yunsip | bda6ac7ef7a1bab0e62f6fc917528670c51ea52310a9be7fd49e3ecf60d1ed2b | Triage

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7v20210410
submitted
13-05-2021 01:53

Sharing

Report Analysis Logs

General

Target

bda6ac7ef7a1bab0e62f6fc917528670c51ea52310a9be7fd49e3ecf60d1ed2b.dll
Size

525KB
MD5

bdf558d14f723c5a8917de55e031bd61
SHA1

4155c69e473610f9f62159a84a7df55282a3ae65
SHA256

bda6ac7ef7a1bab0e62f6fc917528670c51ea52310a9be7fd49e3ecf60d1ed2b
SHA512

e13996ad91e8f375b5686b856023d38b4ef82b0fc199b86d0cc83b78754c520eaea1b51f19654514c4716721061f61986fa26b4334d979ff09f1307ce0f64f45

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 788 wrote to memory of 2008	788	rundll32.exe	rundll32.exe
PID 788 wrote to memory of 2008	788	rundll32.exe	rundll32.exe
PID 788 wrote to memory of 2008	788	rundll32.exe	rundll32.exe
PID 788 wrote to memory of 2008	788	rundll32.exe	rundll32.exe
PID 788 wrote to memory of 2008	788	rundll32.exe	rundll32.exe
PID 788 wrote to memory of 2008	788	rundll32.exe	rundll32.exe
PID 788 wrote to memory of 2008	788	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bda6ac7ef7a1bab0e62f6fc917528670c51ea52310a9be7fd49e3ecf60d1ed2b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bda6ac7ef7a1bab0e62f6fc917528670c51ea52310a9be7fd49e3ecf60d1ed2b.dll,#1
2⤵
PID:2008

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2008-59-0x0000000000000000-mapping.dmp

Download
memory/2008-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download