yunsip | 8b0fd44215cabd8b5896f6f29da22667e39ae48b8deb16c1604eb174b7d09250 | Triage

Analysis

max time kernel
36s
max time network
46s
platform
windows10_x64
resource
win10v20210408
submitted
18-05-2021 10:25

Sharing

Report Analysis Logs

General

Target

8b0fd44215cabd8b5896f6f29da22667e39ae48b8deb16c1604eb174b7d09250.dll
Size

1.0MB
MD5

078b6e44185ed6c9df9f5eed7de53a85
SHA1

68032ad683b293ffaff73415787863399f7a2d2f
SHA256

8b0fd44215cabd8b5896f6f29da22667e39ae48b8deb16c1604eb174b7d09250
SHA512

d6285636a781b88420da0f7c115c67f6c0c074a37e75519d123dedee4f1193b3721a2854b7e7f61f43b9187817b79d9ba70311523967e3e5ddf193505c11ba61

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 656 wrote to memory of 1376	656	rundll32.exe	rundll32.exe
PID 656 wrote to memory of 1376	656	rundll32.exe	rundll32.exe
PID 656 wrote to memory of 1376	656	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8b0fd44215cabd8b5896f6f29da22667e39ae48b8deb16c1604eb174b7d09250.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8b0fd44215cabd8b5896f6f29da22667e39ae48b8deb16c1604eb174b7d09250.dll,#1
2⤵
PID:1376

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-114-0x0000000000000000-mapping.dmp

Download