yunsip | bfe6093a922d5d15bedb12dcebd8539643f4ca4c85c1a3d855816ca5b91e0fcd

Analysis

max time kernel
142s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 04:31

Target

bfe6093a922d5d15bedb12dcebd8539643f4ca4c85c1a3d855816ca5b91e0fcd.dll
Size

401KB
MD5

0c2195ffab3bd4a4186f3e23e8bec10d
SHA1

96bd3be0a591872bc77ab9d03ca5c5ae300c3cdc
SHA256

bfe6093a922d5d15bedb12dcebd8539643f4ca4c85c1a3d855816ca5b91e0fcd
SHA512

a435bdda6ddb1af320621fff48e9cdcfc25ca4a9dbbbddd656676c549dbe98b07b1b2094422d429708c3b415fdebbe0a100ace4bb3f4981ffadbd37ed37a3409
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDV:o6C5AXbMn7UI1FoV2gwTBlrIckPf

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1620	1336	rundll32.exe	81
PID 1336 wrote to memory of 1620	1336	rundll32.exe	81
PID 1336 wrote to memory of 1620	1336	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bfe6093a922d5d15bedb12dcebd8539643f4ca4c85c1a3d855816ca5b91e0fcd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bfe6093a922d5d15bedb12dcebd8539643f4ca4c85c1a3d855816ca5b91e0fcd.dll,#1
  2⤵
  PID:1620