yunsip | 5d3c76539a3faef6f75cbfe529ed709246137b40f2fd22e9c85f4fd89e209eeb | Triage

Analysis

max time kernel
35s
max time network
45s
platform
windows10_x64
resource
win10v20210408
submitted
18-05-2021 10:06

Sharing

Report Analysis Logs

General

Target

5d3c76539a3faef6f75cbfe529ed709246137b40f2fd22e9c85f4fd89e209eeb.dll
Size

953KB
MD5

4b57896be3c291c5d7472e170aa0899c
SHA1

4c4ec8d0a4ee0a443f37847bc913ac8d2dd3ed48
SHA256

5d3c76539a3faef6f75cbfe529ed709246137b40f2fd22e9c85f4fd89e209eeb
SHA512

b337a804f161f6966071a20262412ba82585b3a1e65f32cc03818cf89ec4000914d9d6a357e8b2aa6f20e07f1b4f2807f273498dcdabe6940966ef308b928266

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 672 wrote to memory of 848	672	rundll32.exe	rundll32.exe
PID 672 wrote to memory of 848	672	rundll32.exe	rundll32.exe
PID 672 wrote to memory of 848	672	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d3c76539a3faef6f75cbfe529ed709246137b40f2fd22e9c85f4fd89e209eeb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d3c76539a3faef6f75cbfe529ed709246137b40f2fd22e9c85f4fd89e209eeb.dll,#1
2⤵
PID:848

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/848-114-0x0000000000000000-mapping.dmp

Download