yunsip | f6e0763e3c9db26baa65ed285f8df7514f323cce672079b09adf4dd768a45d7f | Triage

Analysis

max time kernel
123s
max time network
124s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 11:20

Sharing

Report Analysis Logs

General

Target

f6e0763e3c9db26baa65ed285f8df7514f323cce672079b09adf4dd768a45d7f.dll
Size

718KB
MD5

a66cfed7ededd6f84802f5a07e03a4df
SHA1

acc42485ac325f129d8c6afff591d66c6dc78672
SHA256

f6e0763e3c9db26baa65ed285f8df7514f323cce672079b09adf4dd768a45d7f
SHA512

1ea418d30910f092d33270c83d82387c86ad1247f15063dc36b54a5b50ac21044d820d5f4be108c166f1f1dc0fe529f87f3d74644131a485de8d456124f102df

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 348 wrote to memory of 3192	348	rundll32.exe	rundll32.exe
PID 348 wrote to memory of 3192	348	rundll32.exe	rundll32.exe
PID 348 wrote to memory of 3192	348	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f6e0763e3c9db26baa65ed285f8df7514f323cce672079b09adf4dd768a45d7f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:348

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f6e0763e3c9db26baa65ed285f8df7514f323cce672079b09adf4dd768a45d7f.dll,#1
2⤵
PID:3192

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3192-114-0x0000000000000000-mapping.dmp

Download