yunsip | b09b5db122db734592d0e9fc02f331fd835ef21c17f1215cd4d4886e62d034b6

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 15:05

Target

b09b5db122db734592d0e9fc02f331fd835ef21c17f1215cd4d4886e62d034b6.dll
Size

464KB
MD5

063481a16264a3860c941de802777a40
SHA1

e6cda820b87c54df3860f6c11fb937b90c78b7b3
SHA256

b09b5db122db734592d0e9fc02f331fd835ef21c17f1215cd4d4886e62d034b6
SHA512

e1206f4ec505a8edb1d9171b352b970725060e45df7952e18927798341189130f77562316801306ff34989b42a5c07bcff9ee857a5de674c6370db8b43f63412
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0A:jDgtfRQUHPw06MoV2nwTBlhm8o

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1516	1464	rundll32.exe	26
PID 1464 wrote to memory of 1516	1464	rundll32.exe	26
PID 1464 wrote to memory of 1516	1464	rundll32.exe	26
PID 1464 wrote to memory of 1516	1464	rundll32.exe	26
PID 1464 wrote to memory of 1516	1464	rundll32.exe	26
PID 1464 wrote to memory of 1516	1464	rundll32.exe	26
PID 1464 wrote to memory of 1516	1464	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b09b5db122db734592d0e9fc02f331fd835ef21c17f1215cd4d4886e62d034b6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b09b5db122db734592d0e9fc02f331fd835ef21c17f1215cd4d4886e62d034b6.dll,#1
  2⤵
  PID:1516

memory/1516-55-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download