yunsip | b1d8098d64c04ddbe73311117ec201590282bd4d5ee95c185c294d014c6f6ad0

Analysis

max time kernel
154s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2022 08:56

Target

b1d8098d64c04ddbe73311117ec201590282bd4d5ee95c185c294d014c6f6ad0.dll
Size

747KB
MD5

44d5623d3a8f02ef707f994f05254270
SHA1

7d9d82b88cac63e3295b262feda9f4a0c94bc22b
SHA256

b1d8098d64c04ddbe73311117ec201590282bd4d5ee95c185c294d014c6f6ad0
SHA512

f37355fb1560e5456765460bf080661c681eff5751947821feb429ba32c98f4e83bacb7bcea6975bf57697fa693bb84622b32bfd0ccdb43351f493a53b09beae
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0n:jDgtfRQUHPw06MoV2nwTBlhm8/

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 1316	3444	rundll32.exe	83
PID 3444 wrote to memory of 1316	3444	rundll32.exe	83
PID 3444 wrote to memory of 1316	3444	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1d8098d64c04ddbe73311117ec201590282bd4d5ee95c185c294d014c6f6ad0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1d8098d64c04ddbe73311117ec201590282bd4d5ee95c185c294d014c6f6ad0.dll,#1
  2⤵
  PID:1316