yunsip | 21a5237dd8faae37dfd750579558e73d839ff566c6e32d2d91c0651e503c6419

Analysis

max time kernel
111s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 14:03

Target

21a5237dd8faae37dfd750579558e73d839ff566c6e32d2d91c0651e503c6419.dll
Size

620KB
MD5

4b3e265b44e29e3f2f7896bcf8004f70
SHA1

80d592cd57786f41b1a0791ded9645c29400ba34
SHA256

21a5237dd8faae37dfd750579558e73d839ff566c6e32d2d91c0651e503c6419
SHA512

29102c9b02edf60a4ca4ff48bb0b6184daf473653a43d9e82f7ac4a7739ffff7587a12a0812d2ab332a7efe0669722cfa5db28f7ef2f6347b2af510db1e00f25
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0u:jDgtfRQUHPw06MoV2nwTBlhm8m

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4440	4888	rundll32.exe	82
PID 4888 wrote to memory of 4440	4888	rundll32.exe	82
PID 4888 wrote to memory of 4440	4888	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21a5237dd8faae37dfd750579558e73d839ff566c6e32d2d91c0651e503c6419.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\21a5237dd8faae37dfd750579558e73d839ff566c6e32d2d91c0651e503c6419.dll,#1
  2⤵
  PID:4440