yunsip | a360492ba0d3bb8319a9ec6d014d41fc9d03a2c3d21c0f48e9eda6844807bd1c | Triage

Analysis

max time kernel
95s
max time network
117s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 08:09

Sharing

Report Analysis Logs

General

Target

a360492ba0d3bb8319a9ec6d014d41fc9d03a2c3d21c0f48e9eda6844807bd1c.dll
Size

863KB
MD5

565a2c3aaa8d3f3dfc3e936800caf628
SHA1

3b103c5c3a7b95dc89a9568436c9a1a8b2d9048f
SHA256

a360492ba0d3bb8319a9ec6d014d41fc9d03a2c3d21c0f48e9eda6844807bd1c
SHA512

5011231c69583cc2843298dd996fdd93ddd6290b5182199c5fc108941ba89a8bb8b1ccbe444ad01df3038df07edc2cb6cccf1839968c60633e327e04b57aba2e

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4008 wrote to memory of 648	4008	rundll32.exe	rundll32.exe
PID 4008 wrote to memory of 648	4008	rundll32.exe	rundll32.exe
PID 4008 wrote to memory of 648	4008	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a360492ba0d3bb8319a9ec6d014d41fc9d03a2c3d21c0f48e9eda6844807bd1c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a360492ba0d3bb8319a9ec6d014d41fc9d03a2c3d21c0f48e9eda6844807bd1c.dll,#1
2⤵
PID:648

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/648-114-0x0000000000000000-mapping.dmp

Download