yunsip | 3f59761f0f51300f5895377be284d8620df86a86f621632452fc4d87d21e16d1

Analysis

max time kernel
34s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 10:26

Target

3f59761f0f51300f5895377be284d8620df86a86f621632452fc4d87d21e16d1.dll
Size

794KB
MD5

2faeb16170a99a7cd281f065452fe3e0
SHA1

bff844217710ea66084db307b3620cf04a295a9e
SHA256

3f59761f0f51300f5895377be284d8620df86a86f621632452fc4d87d21e16d1
SHA512

f8eb1dc13f53fd67cae0bf8cfab3bc83721820bd7910ca43d2ddb77048593aa0f8210d124643366a7e4daccbe963f853d71aadc2035e0c0f300fc35176464518
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0K:jDgtfRQUHPw06MoV2nwTBlhm8C

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 836	368	rundll32.exe	27
PID 368 wrote to memory of 836	368	rundll32.exe	27
PID 368 wrote to memory of 836	368	rundll32.exe	27
PID 368 wrote to memory of 836	368	rundll32.exe	27
PID 368 wrote to memory of 836	368	rundll32.exe	27
PID 368 wrote to memory of 836	368	rundll32.exe	27
PID 368 wrote to memory of 836	368	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3f59761f0f51300f5895377be284d8620df86a86f621632452fc4d87d21e16d1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3f59761f0f51300f5895377be284d8620df86a86f621632452fc4d87d21e16d1.dll,#1
  2⤵
  PID:836

memory/836-54-0x0000000000000000-mapping.dmp

Download
memory/836-55-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download