yunsip | bee4ca20ff6202b6107d6b2dab6d2607193933a61d999b9dc4d0d3f1f30973c1 | Triage

Analysis

max time kernel
120s
max time network
124s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 10:45

Sharing

Report Analysis Logs

General

Target

bee4ca20ff6202b6107d6b2dab6d2607193933a61d999b9dc4d0d3f1f30973c1.dll
Size

939KB
MD5

1d83eab43b101ad4b0af24f3103ad42b
SHA1

e770fc5ae2fe4184616c32e0fa6c782a6155e9ef
SHA256

bee4ca20ff6202b6107d6b2dab6d2607193933a61d999b9dc4d0d3f1f30973c1
SHA512

41e0b749c199d4279c421b0472d272a4050671a8439bd1e6ecbe530199c4ea131cb8fa92982ae8f21957a46a557e304bb76d1227fc46b8572208ae73a9464c2f

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 512 wrote to memory of 4020	512	rundll32.exe	rundll32.exe
PID 512 wrote to memory of 4020	512	rundll32.exe	rundll32.exe
PID 512 wrote to memory of 4020	512	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bee4ca20ff6202b6107d6b2dab6d2607193933a61d999b9dc4d0d3f1f30973c1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bee4ca20ff6202b6107d6b2dab6d2607193933a61d999b9dc4d0d3f1f30973c1.dll,#1
2⤵
PID:4020

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4020-114-0x0000000000000000-mapping.dmp

Download