yunsip | 668cd5d5dd94fdaa745891f0883d2858a692cf2ee00f7ce72f751734e30f84a4 | Triage

Analysis

max time kernel
50s
max time network
61s
platform
windows10_x64
resource
win10v20210408
submitted
18-05-2021 08:08

Sharing

Report Analysis Logs

General

Target

668cd5d5dd94fdaa745891f0883d2858a692cf2ee00f7ce72f751734e30f84a4.dll
Size

667KB
MD5

63cb5fd5731c8c93387c439616dc55c7
SHA1

ef4f186e6015c43ce944ccdbeabaff2dded9d4fd
SHA256

668cd5d5dd94fdaa745891f0883d2858a692cf2ee00f7ce72f751734e30f84a4
SHA512

b2db13745f93d28dd9144a82f24a9bf48b3450a45ade7541bee4688fe30dbfd8b94329c2521dcb4d61dbe79d126a55522193918432b0ca83dc56649f087322e0

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 380 wrote to memory of 1572	380	rundll32.exe	rundll32.exe
PID 380 wrote to memory of 1572	380	rundll32.exe	rundll32.exe
PID 380 wrote to memory of 1572	380	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\668cd5d5dd94fdaa745891f0883d2858a692cf2ee00f7ce72f751734e30f84a4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\668cd5d5dd94fdaa745891f0883d2858a692cf2ee00f7ce72f751734e30f84a4.dll,#1
2⤵
PID:1572

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1572-114-0x0000000000000000-mapping.dmp

Download