yunsip | a64380f336995395fa8519233a6cef70d8b59a97bd0ea6291a85e46bfd0bbf72

Analysis

max time kernel
120s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 15:38

Target

a64380f336995395fa8519233a6cef70d8b59a97bd0ea6291a85e46bfd0bbf72.dll
Size

482KB
MD5

279e3d07ce85f7c94f925d20334afe20
SHA1

87e1689ff6f0ff6594bc37b801669a26e4be9454
SHA256

a64380f336995395fa8519233a6cef70d8b59a97bd0ea6291a85e46bfd0bbf72
SHA512

66669c110e6e70ab06f6b871178d19ccc2c1af1f1d8a8d279af4996032d138c5c533496bf6037d9295dbaaf449d13efd38bb91e19caec230d99ec2cd11a354d8
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDr:o6C5AXbMn7UI1FoV2gwTBlrIckP1

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 724	4844	rundll32.exe	83
PID 4844 wrote to memory of 724	4844	rundll32.exe	83
PID 4844 wrote to memory of 724	4844	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a64380f336995395fa8519233a6cef70d8b59a97bd0ea6291a85e46bfd0bbf72.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a64380f336995395fa8519233a6cef70d8b59a97bd0ea6291a85e46bfd0bbf72.dll,#1
  2⤵
  PID:724