yunsip | e25202c4ec1082d483d3a8dfa58fd0d8a8e7279c6a62bca0d8be5a559125c23e | Triage

Analysis

max time kernel
39s
max time network
56s
platform
windows10_x64
resource
win10v20210408
submitted
18-05-2021 12:29

Sharing

Report Analysis Logs

General

Target

e25202c4ec1082d483d3a8dfa58fd0d8a8e7279c6a62bca0d8be5a559125c23e.dll
Size

452KB
MD5

f616806ccf9e8e2d9e1af51ded103ec3
SHA1

22831cb705c236a29f738cb6f90a60f238d937e8
SHA256

e25202c4ec1082d483d3a8dfa58fd0d8a8e7279c6a62bca0d8be5a559125c23e
SHA512

fdac2e2f0d77f3d3adb29e26bdc6bf697dbb1aead301939d0ed4074e438c788e361c09efe877178b4551ff5d60827803b92b1f4de8582a6fa723a253776c35e2

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 640 wrote to memory of 1096	640	rundll32.exe	rundll32.exe
PID 640 wrote to memory of 1096	640	rundll32.exe	rundll32.exe
PID 640 wrote to memory of 1096	640	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e25202c4ec1082d483d3a8dfa58fd0d8a8e7279c6a62bca0d8be5a559125c23e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e25202c4ec1082d483d3a8dfa58fd0d8a8e7279c6a62bca0d8be5a559125c23e.dll,#1
2⤵
PID:1096

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-114-0x0000000000000000-mapping.dmp

Download