yunsip | bab4020f814b0f4feb797c93cfe8effd52c70757decaa0f618177b351330e078

Analysis

max time kernel
37s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 14:02

Target

bab4020f814b0f4feb797c93cfe8effd52c70757decaa0f618177b351330e078.dll
Size

788KB
MD5

83da7350dd4fb8d032e14baab13f1db0
SHA1

37d5029ae33f8704e448f2cda754852384329c5d
SHA256

bab4020f814b0f4feb797c93cfe8effd52c70757decaa0f618177b351330e078
SHA512

1dbafe8a1d7227fcc2ce3a386632bf8d7c9bb3e2c92717b4528867665952176f669c78e9d5b6e57cfa964eb39608b0b4a91b8646cb7ddea6a8d2bc41670b416b
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0Z:jDgtfRQUHPw06MoV2nwTBlhm8h

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2012	1864	rundll32.exe	26
PID 1864 wrote to memory of 2012	1864	rundll32.exe	26
PID 1864 wrote to memory of 2012	1864	rundll32.exe	26
PID 1864 wrote to memory of 2012	1864	rundll32.exe	26
PID 1864 wrote to memory of 2012	1864	rundll32.exe	26
PID 1864 wrote to memory of 2012	1864	rundll32.exe	26
PID 1864 wrote to memory of 2012	1864	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bab4020f814b0f4feb797c93cfe8effd52c70757decaa0f618177b351330e078.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bab4020f814b0f4feb797c93cfe8effd52c70757decaa0f618177b351330e078.dll,#1
  2⤵
  PID:2012

memory/2012-55-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download