yunsip | bb2e8d5dff2d43227873506554cfdcfea57eccdda4fe005a174b3df6379c6954

Analysis

max time kernel
47s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-11-2022 10:04

Target

bb2e8d5dff2d43227873506554cfdcfea57eccdda4fe005a174b3df6379c6954.dll
Size

590KB
MD5

32e360c84fd966775022c27d2fda9a20
SHA1

f37bd9bcd5db14810fdcdd848a9236d504c8c039
SHA256

bb2e8d5dff2d43227873506554cfdcfea57eccdda4fe005a174b3df6379c6954
SHA512

9ece21b6ac8786d3b2f01f675cfca7655dc56840b5310e8760c35fdc529cc90289e781af568803f772ab5b25c0d0da3a9d360f21ff6a6969cd8e90130e2672a2
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0+:jDgtfRQUHPw06MoV2nwTBlhm8m

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1252	860	rundll32.exe	27
PID 860 wrote to memory of 1252	860	rundll32.exe	27
PID 860 wrote to memory of 1252	860	rundll32.exe	27
PID 860 wrote to memory of 1252	860	rundll32.exe	27
PID 860 wrote to memory of 1252	860	rundll32.exe	27
PID 860 wrote to memory of 1252	860	rundll32.exe	27
PID 860 wrote to memory of 1252	860	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb2e8d5dff2d43227873506554cfdcfea57eccdda4fe005a174b3df6379c6954.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb2e8d5dff2d43227873506554cfdcfea57eccdda4fe005a174b3df6379c6954.dll,#1
  2⤵
  PID:1252

memory/1252-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download