yunsip | 2f376d33f559c5dcae012d1957e5c15c350006b1c877d3f5e6ba65f71e5e3759

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 15:06

Target

2f376d33f559c5dcae012d1957e5c15c350006b1c877d3f5e6ba65f71e5e3759.dll
Size

914KB
MD5

096ad55e76ed7bc2f05c04b57afb1160
SHA1

c80ad63b6d746d7a8c39de9e358f2d2b8fe434d5
SHA256

2f376d33f559c5dcae012d1957e5c15c350006b1c877d3f5e6ba65f71e5e3759
SHA512

63ec95e0138d7a1f74fbc2b1c8a2ec0097c0ebe9a43e2481c76aaa117daea4051536c4d4b247b41e9d2019ca7a1e2d29da93d6b1bba1a53a0dbdad4f8095e600
SSDEEP

6144:jDgtfRQUHPw06MoV2nwTBlhm8zDgtfRQUHPw06MoV2nwTBlhm8N:jDgN6MoIwT3vDgN6MoIwT3R

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1944	1908	rundll32.exe	28
PID 1908 wrote to memory of 1944	1908	rundll32.exe	28
PID 1908 wrote to memory of 1944	1908	rundll32.exe	28
PID 1908 wrote to memory of 1944	1908	rundll32.exe	28
PID 1908 wrote to memory of 1944	1908	rundll32.exe	28
PID 1908 wrote to memory of 1944	1908	rundll32.exe	28
PID 1908 wrote to memory of 1944	1908	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f376d33f559c5dcae012d1957e5c15c350006b1c877d3f5e6ba65f71e5e3759.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f376d33f559c5dcae012d1957e5c15c350006b1c877d3f5e6ba65f71e5e3759.dll,#1
  2⤵
  PID:1944

memory/1944-55-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download