yunsip | 68fae87b4978daf59fe64141f984ec9161b541c73001f695cfb6d933e77a38ab | Triage

Analysis

max time kernel
135s
max time network
150s
platform
windows7_x64
resource
win7v20210410
submitted
18-05-2021 08:15

Sharing

Report Analysis Logs

General

Target

68fae87b4978daf59fe64141f984ec9161b541c73001f695cfb6d933e77a38ab.dll
Size

783KB
MD5

76e79f061bca8fa757ce0ad0ed93ce86
SHA1

b94b972ba85af85a987fe0648cf1c70716ae0c4a
SHA256

68fae87b4978daf59fe64141f984ec9161b541c73001f695cfb6d933e77a38ab
SHA512

07c5f77ff702806f59a4b799ff322dae794d7c2870e91911d548d6092278b388295c5c36334555c9895148723a791b822b1bd831770f126c32a0f7ff0812845d

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1864 wrote to memory of 1532	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1532	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1532	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1532	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1532	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1532	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1532	1864	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\68fae87b4978daf59fe64141f984ec9161b541c73001f695cfb6d933e77a38ab.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\68fae87b4978daf59fe64141f984ec9161b541c73001f695cfb6d933e77a38ab.dll,#1
2⤵
PID:1532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1532-59-0x0000000000000000-mapping.dmp

Download
memory/1532-60-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download