yunsip | e8754de6d3ffdf64a70631bdbca66624c00fd2d7fce32f60a27cc1be09a9e9b8

Analysis

max time kernel
53s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 15:04

Target

e8754de6d3ffdf64a70631bdbca66624c00fd2d7fce32f60a27cc1be09a9e9b8.dll
Size

231KB
MD5

09d3621343dce1db864402e994b4b920
SHA1

be4d1e40170d366e42897aa70521d7dd22724709
SHA256

e8754de6d3ffdf64a70631bdbca66624c00fd2d7fce32f60a27cc1be09a9e9b8
SHA512

c1c66d0a88f6c629744797db4c866cdc80ba54b1d97afbc87b2f587eb44b2ffd1d00485ba1d131aaded5a98ea8009f680094f2b1a267946a194850231212c530
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0v:jDgtfRQUHPw06MoV2nwTBlhm83

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1608	1696	rundll32.exe	27
PID 1696 wrote to memory of 1608	1696	rundll32.exe	27
PID 1696 wrote to memory of 1608	1696	rundll32.exe	27
PID 1696 wrote to memory of 1608	1696	rundll32.exe	27
PID 1696 wrote to memory of 1608	1696	rundll32.exe	27
PID 1696 wrote to memory of 1608	1696	rundll32.exe	27
PID 1696 wrote to memory of 1608	1696	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e8754de6d3ffdf64a70631bdbca66624c00fd2d7fce32f60a27cc1be09a9e9b8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e8754de6d3ffdf64a70631bdbca66624c00fd2d7fce32f60a27cc1be09a9e9b8.dll,#1
  2⤵
  PID:1608

memory/1608-55-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download