yunsip | 5a35bf1d962346e81010882426312f0fe8ff9ab768296b3d5a9e05d7713eafe6 | Triage

Analysis

max time kernel
143s
max time network
148s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 13:06

Sharing

Report Analysis Logs

General

Target

5a35bf1d962346e81010882426312f0fe8ff9ab768296b3d5a9e05d7713eafe6.dll
Size

450KB
MD5

406cd67ac18f82e17c4c6a47597081e9
SHA1

7ecab869c6bdb6566feb415d575efc255d52c570
SHA256

5a35bf1d962346e81010882426312f0fe8ff9ab768296b3d5a9e05d7713eafe6
SHA512

7c598ecb02c42e39e2365c2e2daf92179ffb7e3f83ba342937700cfd3279c4b9a8657972141b64c7eb4eb447a079f998b1f4856f6bf775ff10e6c3065a57fd59

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3992 wrote to memory of 964	3992	rundll32.exe	rundll32.exe
PID 3992 wrote to memory of 964	3992	rundll32.exe	rundll32.exe
PID 3992 wrote to memory of 964	3992	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a35bf1d962346e81010882426312f0fe8ff9ab768296b3d5a9e05d7713eafe6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a35bf1d962346e81010882426312f0fe8ff9ab768296b3d5a9e05d7713eafe6.dll,#1
2⤵
PID:964

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-114-0x0000000000000000-mapping.dmp

Download