yunsip | f5d30a4a87567f1d07d76f912b9cf488e360f00c13dc93f1fa75059e25f6e3ee

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 04:31

Target

f5d30a4a87567f1d07d76f912b9cf488e360f00c13dc93f1fa75059e25f6e3ee.dll
Size

306KB
MD5

081fba56d22e00c6a3868402b62c0a20
SHA1

9be9758d423f714103469d3422738280f4c1f670
SHA256

f5d30a4a87567f1d07d76f912b9cf488e360f00c13dc93f1fa75059e25f6e3ee
SHA512

18f492919d3fce85fefac020e957b426b5eac72003ed542ab8a2c1932a5f6f4163ae162d404972f08173dccbe684bd6f2bf6c5b1b96881de25c5be3d2c83092f
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDH:o6C5AXbMn7UI1FoV2gwTBlrIckPZ

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 3012	3736	rundll32.exe	82
PID 3736 wrote to memory of 3012	3736	rundll32.exe	82
PID 3736 wrote to memory of 3012	3736	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5d30a4a87567f1d07d76f912b9cf488e360f00c13dc93f1fa75059e25f6e3ee.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5d30a4a87567f1d07d76f912b9cf488e360f00c13dc93f1fa75059e25f6e3ee.dll,#1
  2⤵
  PID:3012