yunsip | 4639d9b925adf398a537da9261d4c8b8cba7f33f602a1ad82e980228d9c9631b

Analysis

max time kernel
37s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 04:31

Target

4639d9b925adf398a537da9261d4c8b8cba7f33f602a1ad82e980228d9c9631b.dll
Size

393KB
MD5

07a2c9a683ca500bd868c3273093e080
SHA1

6d1a60142882336d3db70561d4cd23a139dce416
SHA256

4639d9b925adf398a537da9261d4c8b8cba7f33f602a1ad82e980228d9c9631b
SHA512

3c89c3747134518203da4a7961b5ea1d0d959cee914abc9d37f59dd2ad1e8642f0811d7d7ce2816b5f95c914d39b990eb1425f5563c07d909d1924b4d0eca881
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZD3:o6C5AXbMn7UI1FoV2gwTBlrIckPp

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2004	1608	rundll32.exe	26
PID 1608 wrote to memory of 2004	1608	rundll32.exe	26
PID 1608 wrote to memory of 2004	1608	rundll32.exe	26
PID 1608 wrote to memory of 2004	1608	rundll32.exe	26
PID 1608 wrote to memory of 2004	1608	rundll32.exe	26
PID 1608 wrote to memory of 2004	1608	rundll32.exe	26
PID 1608 wrote to memory of 2004	1608	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4639d9b925adf398a537da9261d4c8b8cba7f33f602a1ad82e980228d9c9631b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4639d9b925adf398a537da9261d4c8b8cba7f33f602a1ad82e980228d9c9631b.dll,#1
  2⤵
  PID:2004

memory/2004-55-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download