yunsip | 850d5c4d25c4164cb96f20cd5713c75892c9452833fcb588fde5c0eed8423ccb | Triage

Analysis

max time kernel
46s
max time network
57s
platform
windows10_x64
resource
win10v20210408
submitted
18-05-2021 07:40

Sharing

Report Analysis Logs

General

Target

850d5c4d25c4164cb96f20cd5713c75892c9452833fcb588fde5c0eed8423ccb.dll
Size

686KB
MD5

d8d9c0a0bc8e5615f6de3a99d4d78061
SHA1

b2ef3e4e168a977c50813cb7ca6dd2dffdd18b47
SHA256

850d5c4d25c4164cb96f20cd5713c75892c9452833fcb588fde5c0eed8423ccb
SHA512

fcbceaf8f122fe4a676c96dfea253b3e5521c6e7175b844564661da429a9aa917822ac76e969f2de32f5d5e70d26a97ed2232f288674477ed81a68221704a90d

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 900 wrote to memory of 1108	900	rundll32.exe	rundll32.exe
PID 900 wrote to memory of 1108	900	rundll32.exe	rundll32.exe
PID 900 wrote to memory of 1108	900	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\850d5c4d25c4164cb96f20cd5713c75892c9452833fcb588fde5c0eed8423ccb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\850d5c4d25c4164cb96f20cd5713c75892c9452833fcb588fde5c0eed8423ccb.dll,#1
2⤵
PID:1108

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-114-0x0000000000000000-mapping.dmp

Download