yunsip | a9d647f48cc7d3c6cf6aaf975f32ffea9e1425b0c0164255e2c454d25f328bf5

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2022 10:04

Target

a9d647f48cc7d3c6cf6aaf975f32ffea9e1425b0c0164255e2c454d25f328bf5.dll
Size

701KB
MD5

01f25030a3c8ec19e09ffe3b806f63c0
SHA1

31ff9a22f3bdb528ddbbca509068c13d5c2a095a
SHA256

a9d647f48cc7d3c6cf6aaf975f32ffea9e1425b0c0164255e2c454d25f328bf5
SHA512

afd4b61d58d394895807e4fa7436b3ec466d973ffafadfe849a93386466e0c85308b1fefcc058a33c8551af3b5d712feea9b0de75b51768b589b0694035ee96d
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0o2gqTNY4a:jDgtfRQUHPw06MoV2nwTBlhm8pgqTm

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2012	2352	rundll32.exe	84
PID 2352 wrote to memory of 2012	2352	rundll32.exe	84
PID 2352 wrote to memory of 2012	2352	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9d647f48cc7d3c6cf6aaf975f32ffea9e1425b0c0164255e2c454d25f328bf5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9d647f48cc7d3c6cf6aaf975f32ffea9e1425b0c0164255e2c454d25f328bf5.dll,#1
  2⤵
  PID:2012