yunsip | 4c56d3f48645afa4c30b2a2e56b933e0794bbedb8ac994bcb5b613a1e579267d

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-11-2022 04:18

Target

4c56d3f48645afa4c30b2a2e56b933e0794bbedb8ac994bcb5b613a1e579267d.dll
Size

368KB
MD5

41461c161007c625c1e838d8b79cf168
SHA1

33576ef7164c3047d8a37f259fbd1eebd8250d4a
SHA256

4c56d3f48645afa4c30b2a2e56b933e0794bbedb8ac994bcb5b613a1e579267d
SHA512

b2934fd16493928495dec3cbcb60fcc657bd2b69148c5ecd66fb7ce9c22b1f5cc743f3d6c322decf447b251dc43d7fd093a98c0f88af77deba05ea918d91e93e
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDn:o6C5AXbMn7UI1FoV2gwTBlrIckPV

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1292 wrote to memory of 1160	1292	rundll32.exe	rundll32.exe
PID 1292 wrote to memory of 1160	1292	rundll32.exe	rundll32.exe
PID 1292 wrote to memory of 1160	1292	rundll32.exe	rundll32.exe
PID 1292 wrote to memory of 1160	1292	rundll32.exe	rundll32.exe
PID 1292 wrote to memory of 1160	1292	rundll32.exe	rundll32.exe
PID 1292 wrote to memory of 1160	1292	rundll32.exe	rundll32.exe
PID 1292 wrote to memory of 1160	1292	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c56d3f48645afa4c30b2a2e56b933e0794bbedb8ac994bcb5b613a1e579267d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c56d3f48645afa4c30b2a2e56b933e0794bbedb8ac994bcb5b613a1e579267d.dll,#1
2⤵
PID:1160

memory/1160-54-0x0000000000000000-mapping.dmp

Download
memory/1160-55-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download