yunsip | b1d8098d64c04ddbe73311117ec201590282bd4d5ee95c185c294d014c6f6ad0

Analysis

max time kernel
9s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
19-11-2022 08:56

Target

b1d8098d64c04ddbe73311117ec201590282bd4d5ee95c185c294d014c6f6ad0.dll
Size

747KB
MD5

44d5623d3a8f02ef707f994f05254270
SHA1

7d9d82b88cac63e3295b262feda9f4a0c94bc22b
SHA256

b1d8098d64c04ddbe73311117ec201590282bd4d5ee95c185c294d014c6f6ad0
SHA512

f37355fb1560e5456765460bf080661c681eff5751947821feb429ba32c98f4e83bacb7bcea6975bf57697fa693bb84622b32bfd0ccdb43351f493a53b09beae
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0n:jDgtfRQUHPw06MoV2nwTBlhm8/

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 956	1224	rundll32.exe	28
PID 1224 wrote to memory of 956	1224	rundll32.exe	28
PID 1224 wrote to memory of 956	1224	rundll32.exe	28
PID 1224 wrote to memory of 956	1224	rundll32.exe	28
PID 1224 wrote to memory of 956	1224	rundll32.exe	28
PID 1224 wrote to memory of 956	1224	rundll32.exe	28
PID 1224 wrote to memory of 956	1224	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1d8098d64c04ddbe73311117ec201590282bd4d5ee95c185c294d014c6f6ad0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1d8098d64c04ddbe73311117ec201590282bd4d5ee95c185c294d014c6f6ad0.dll,#1
  2⤵
  PID:956

memory/956-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download