yunsip | 8e24e91303b0dcc86c794d0841f4a18d8abe27fa1a6b08a7ade6824bd6079452 | Triage

Analysis

max time kernel
89s
max time network
112s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 12:21

Sharing

Report Analysis Logs

General

Target

8e24e91303b0dcc86c794d0841f4a18d8abe27fa1a6b08a7ade6824bd6079452.dll
Size

434KB
MD5

3087a4327ec1e1da226127894de40ddb
SHA1

29af3f23876677abf18aebe29965c817d2317ecd
SHA256

8e24e91303b0dcc86c794d0841f4a18d8abe27fa1a6b08a7ade6824bd6079452
SHA512

6731ede7a44aadf1811a76f086e1a9fa39c1b04be6d866c897e5fec2e6a8b764ab353d0a00e515eea4d619575ccb7de29152f4a48753534b17ba2d2c27437e25

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3892 wrote to memory of 1728	3892	rundll32.exe	rundll32.exe
PID 3892 wrote to memory of 1728	3892	rundll32.exe	rundll32.exe
PID 3892 wrote to memory of 1728	3892	rundll32.exe	rundll32.exe

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e24e91303b0dcc86c794d0841f4a18d8abe27fa1a6b08a7ade6824bd6079452.dll,#1
1⤵
PID:1728

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e24e91303b0dcc86c794d0841f4a18d8abe27fa1a6b08a7ade6824bd6079452.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3892

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-114-0x0000000000000000-mapping.dmp

Download