yunsip | fea9bc8bcbe46a6763ce2a7ef8a80ce46219b436aa43dadf97c40419ea58a4e1

Analysis

max time kernel
12s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 01:24

Target

fea9bc8bcbe46a6763ce2a7ef8a80ce46219b436aa43dadf97c40419ea58a4e1.dll
Size

868KB
MD5

0c37a3924cfe6bbc97ef7e384f1bbb70
SHA1

42953d75add7af293fe0045df3671eb21dcbc432
SHA256

fea9bc8bcbe46a6763ce2a7ef8a80ce46219b436aa43dadf97c40419ea58a4e1
SHA512

07c76a1dcf756bfb1551d410ab94f5d050124b1748438f1da6a60902a4fbf468a549a7b0b2b8eb15f0c6c00337973a32e76dcc86d45ae95a92f625fe8d7a9659
SSDEEP

12288:jDgN6MoIwT3qOOOOOOOOOOOOOOOOOOOOOOm:jTtT3qOOOOOOOOOOOOOOOOOOOOOOm

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 4888	3276	rundll32.exe	17
PID 3276 wrote to memory of 4888	3276	rundll32.exe	17
PID 3276 wrote to memory of 4888	3276	rundll32.exe	17

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fea9bc8bcbe46a6763ce2a7ef8a80ce46219b436aa43dadf97c40419ea58a4e1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fea9bc8bcbe46a6763ce2a7ef8a80ce46219b436aa43dadf97c40419ea58a4e1.dll,#1
  2⤵
  PID:4888