yunsip | 07d2c3e4494cd9efe203af28078f184da742fcbe4576658e11d3905a75dd3881

Analysis

max time kernel
37s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 21:21

Target

07d2c3e4494cd9efe203af28078f184da742fcbe4576658e11d3905a75dd3881.dll
Size

409KB
MD5

a06b18b5fce5c0ae1ba66def4e340126
SHA1

7dc687232e7cd3d3322100474755018261f9448f
SHA256

07d2c3e4494cd9efe203af28078f184da742fcbe4576658e11d3905a75dd3881
SHA512

737556d5d5bea206043aa5084470583db16f208dde4a45ad8c582780cf916d0c8cfae66a3869f25cfad9088e78424b575e34b9d37e3302cae065f48e502d8149
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0S:jDgtfRQUHPw06MoV2nwTBlhm8q

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 1168	988	rundll32.exe	28
PID 988 wrote to memory of 1168	988	rundll32.exe	28
PID 988 wrote to memory of 1168	988	rundll32.exe	28
PID 988 wrote to memory of 1168	988	rundll32.exe	28
PID 988 wrote to memory of 1168	988	rundll32.exe	28
PID 988 wrote to memory of 1168	988	rundll32.exe	28
PID 988 wrote to memory of 1168	988	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\07d2c3e4494cd9efe203af28078f184da742fcbe4576658e11d3905a75dd3881.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\07d2c3e4494cd9efe203af28078f184da742fcbe4576658e11d3905a75dd3881.dll,#1
  2⤵
  PID:1168

memory/1168-55-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download