yunsip | 979ca66179a9632e5308084fc289ce2b19c6b408cc5ec9a73196250637d9a4ca

Analysis

max time kernel
34s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 14:02

Target

979ca66179a9632e5308084fc289ce2b19c6b408cc5ec9a73196250637d9a4ca.dll
Size

764KB
MD5

936f6f1f61ae479a46f74c7c0fc99c20
SHA1

2a0b274b71ebe355767d535259fe536042741906
SHA256

979ca66179a9632e5308084fc289ce2b19c6b408cc5ec9a73196250637d9a4ca
SHA512

728e6033e90343074e08bf9b661c4ece7eeb51640df53e95aadf14f64566667c2e2b96ba19e5eb9691cc32c4f234a57cae366960cbe9d70e0be90b0da08e6fdd
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0i:jDgtfRQUHPw06MoV2nwTBlhm8K

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1644	1672	rundll32.exe	27
PID 1672 wrote to memory of 1644	1672	rundll32.exe	27
PID 1672 wrote to memory of 1644	1672	rundll32.exe	27
PID 1672 wrote to memory of 1644	1672	rundll32.exe	27
PID 1672 wrote to memory of 1644	1672	rundll32.exe	27
PID 1672 wrote to memory of 1644	1672	rundll32.exe	27
PID 1672 wrote to memory of 1644	1672	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\979ca66179a9632e5308084fc289ce2b19c6b408cc5ec9a73196250637d9a4ca.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\979ca66179a9632e5308084fc289ce2b19c6b408cc5ec9a73196250637d9a4ca.dll,#1
  2⤵
  PID:1644

memory/1644-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download