yunsip | 3e03f863a3e50377028438fc791a1918dfeed6fa904cba817131355d87b0f258 | Triage

Analysis

max time kernel
13s
max time network
110s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 13:11

Sharing

Report Analysis Logs

General

Target

3e03f863a3e50377028438fc791a1918dfeed6fa904cba817131355d87b0f258.dll
Size

436KB
MD5

3b33ad6fbc372432ac241106c967501a
SHA1

e6d14daf269e1c979e5dfe59eb74bd6b9e46d17c
SHA256

3e03f863a3e50377028438fc791a1918dfeed6fa904cba817131355d87b0f258
SHA512

f7c601909555ab88899c6c847bf9887316aec852e4088d92a114e3005f0f7fd73e72cb2ee316dc1fdbd46e810bf70f95fb273344761b3a5eb4cb02294a836061

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2208 wrote to memory of 496	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 496	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 496	2208	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e03f863a3e50377028438fc791a1918dfeed6fa904cba817131355d87b0f258.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e03f863a3e50377028438fc791a1918dfeed6fa904cba817131355d87b0f258.dll,#1
2⤵
PID:496

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/496-114-0x0000000000000000-mapping.dmp

Download