yunsip | e9b1b871c7ee047bab8a2d03d832a1ed035b101cacd8eecece205f66fc659ac3 | Triage

Analysis

max time kernel
3s
max time network
15s
platform
windows7_x64
resource
win7v20210410
submitted
18-05-2021 11:38

Sharing

Report Analysis Logs

General

Target

e9b1b871c7ee047bab8a2d03d832a1ed035b101cacd8eecece205f66fc659ac3.dll
Size

948KB
MD5

7240a8948ec57f99eaaf0f1f8a0fdbe1
SHA1

1ba980e50f65d71080e23bac41fc2eb717139b20
SHA256

e9b1b871c7ee047bab8a2d03d832a1ed035b101cacd8eecece205f66fc659ac3
SHA512

aba527446015c6846a38ddd262e2f0183034b67dd6341c57f468551ad25bdf6c5044b940e6ac5ad6b63ae521d21e44553aa702016f77c60668f9e60c6fa6e62f

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 336 wrote to memory of 1096	336	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1096	336	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1096	336	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1096	336	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1096	336	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1096	336	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1096	336	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9b1b871c7ee047bab8a2d03d832a1ed035b101cacd8eecece205f66fc659ac3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9b1b871c7ee047bab8a2d03d832a1ed035b101cacd8eecece205f66fc659ac3.dll,#1
2⤵
PID:1096

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-60-0x0000000000000000-mapping.dmp

Download
memory/1096-61-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download