yunsip | c9a82e6484df40c9c5f4784b5a5fd31f03114cef259618bc18939b7abe9af38c

Analysis

max time kernel
24s
max time network
107s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-11-2022 16:16

Target

c9a82e6484df40c9c5f4784b5a5fd31f03114cef259618bc18939b7abe9af38c.dll
Size

370KB
MD5

0e9db15e15e2f45146cce832a6a01540
SHA1

608f3e36dc973f671526c89df5ddd1926ce9df0d
SHA256

c9a82e6484df40c9c5f4784b5a5fd31f03114cef259618bc18939b7abe9af38c
SHA512

73cc60f8164ed98632796c7a44134ff2a32c588a65faaa26d2337babeaeafa76824cf1aef3f6ee24e1c9a5dba31a809c6e0e4a09185a03555fce9a9b82dfd051
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDp:o6C5AXbMn7UI1FoV2gwTBlrIckPb

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1172	1692	rundll32.exe	27
PID 1692 wrote to memory of 1172	1692	rundll32.exe	27
PID 1692 wrote to memory of 1172	1692	rundll32.exe	27
PID 1692 wrote to memory of 1172	1692	rundll32.exe	27
PID 1692 wrote to memory of 1172	1692	rundll32.exe	27
PID 1692 wrote to memory of 1172	1692	rundll32.exe	27
PID 1692 wrote to memory of 1172	1692	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9a82e6484df40c9c5f4784b5a5fd31f03114cef259618bc18939b7abe9af38c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9a82e6484df40c9c5f4784b5a5fd31f03114cef259618bc18939b7abe9af38c.dll,#1
  2⤵
  PID:1172

memory/1172-55-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download