yunsip | 307ec13c5bbf0d83401c460b76b095400af68a527718306d0ba8b1cc3fccc3d0

Analysis

max time kernel
26s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 00:12

Target

307ec13c5bbf0d83401c460b76b095400af68a527718306d0ba8b1cc3fccc3d0.dll
Size

264KB
MD5

82241d7c1596757c61154792d87a36ec
SHA1

13f8d9683d03f00da5e184b4857d225b186af75a
SHA256

307ec13c5bbf0d83401c460b76b095400af68a527718306d0ba8b1cc3fccc3d0
SHA512

34aea4d6ca947539e05f297a0bc50b5c13887913c700a68f0c236adc2971153ce1f8b194907b3a22c7b4cb06700bf6b27afc3e5adede21af495175e960ccab50
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0i:jDgtfRQUHPw06MoV2nwTBlhm8a

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1880	1628	rundll32.exe	27
PID 1628 wrote to memory of 1880	1628	rundll32.exe	27
PID 1628 wrote to memory of 1880	1628	rundll32.exe	27
PID 1628 wrote to memory of 1880	1628	rundll32.exe	27
PID 1628 wrote to memory of 1880	1628	rundll32.exe	27
PID 1628 wrote to memory of 1880	1628	rundll32.exe	27
PID 1628 wrote to memory of 1880	1628	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\307ec13c5bbf0d83401c460b76b095400af68a527718306d0ba8b1cc3fccc3d0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\307ec13c5bbf0d83401c460b76b095400af68a527718306d0ba8b1cc3fccc3d0.dll,#1
  2⤵
  PID:1880

memory/1880-55-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download