yunsip | ae6adc1eba5ad2969dd0adeda3e771896fffbbe3a0e85aeb5c6ca5add0dae96e

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 15:05

Target

ae6adc1eba5ad2969dd0adeda3e771896fffbbe3a0e85aeb5c6ca5add0dae96e.dll
Size

281KB
MD5

0eff627815250b5ba9cd81f7cc242f80
SHA1

8f1ecb9fca574e205584cb4cb1ec693537deec01
SHA256

ae6adc1eba5ad2969dd0adeda3e771896fffbbe3a0e85aeb5c6ca5add0dae96e
SHA512

17d43acadbda78254f371d7d1506af3846c7c11d3bc43d20c8b67de8d1a68819d9928795dd9d720b1a8add5d70972b5890a3424e5e245441647711b7b9da2a48
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0R:jDgtfRQUHPw06MoV2nwTBlhm8J

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2680 wrote to memory of 4324	2680	rundll32.exe	rundll32.exe
PID 2680 wrote to memory of 4324	2680	rundll32.exe	rundll32.exe
PID 2680 wrote to memory of 4324	2680	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae6adc1eba5ad2969dd0adeda3e771896fffbbe3a0e85aeb5c6ca5add0dae96e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae6adc1eba5ad2969dd0adeda3e771896fffbbe3a0e85aeb5c6ca5add0dae96e.dll,#1
2⤵
PID:4324