yunsip | de9045e8976db545b09a4b49c1c7c3f02aa5a966496d8395f1755fdb67da3c38

Analysis

max time kernel
31s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 10:25

Target

de9045e8976db545b09a4b49c1c7c3f02aa5a966496d8395f1755fdb67da3c38.dll
Size

250KB
MD5

033b9a8831c7f1d31d2bc000964c4ec1
SHA1

6a8b34e9c3b71186cc80ef78bb4a144611718d70
SHA256

de9045e8976db545b09a4b49c1c7c3f02aa5a966496d8395f1755fdb67da3c38
SHA512

bb7259cdce2fe937fa2c34da7a6e3e9b172023882b83ba7e68d120c8d868f4485bf07957cb76ab8aae4b2b8ffcb7e0fc9e4b421975e6b195672c020d5b463638
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0b:jDgtfRQUHPw06MoV2nwTBlhm8z

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26
PID 1388 wrote to memory of 1536	1388	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de9045e8976db545b09a4b49c1c7c3f02aa5a966496d8395f1755fdb67da3c38.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\de9045e8976db545b09a4b49c1c7c3f02aa5a966496d8395f1755fdb67da3c38.dll,#1
  2⤵
  PID:1536

memory/1536-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download