yunsip | 40a23b0fb20ebf7e31d104681ec2401e3ed259da942a66adc4961d5111efb59f

Analysis

max time kernel
24s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
20-11-2022 10:04

Target

40a23b0fb20ebf7e31d104681ec2401e3ed259da942a66adc4961d5111efb59f.dll
Size

600KB
MD5

13fac4bfb169a08feaa9c23112fe9f70
SHA1

173cc83eb166403995b1c0b13978f46aadc141bc
SHA256

40a23b0fb20ebf7e31d104681ec2401e3ed259da942a66adc4961d5111efb59f
SHA512

868a3201194f4c53e5ee3586cab72b277284e7787fb2701107242ced12431c08c265f2e663c95b0b71c178b3aa9f23596fdc517a8c1fc25f3c62418c3adfd627
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0X:jDgtfRQUHPw06MoV2nwTBlhm8f

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1792	1260	rundll32.exe	28
PID 1260 wrote to memory of 1792	1260	rundll32.exe	28
PID 1260 wrote to memory of 1792	1260	rundll32.exe	28
PID 1260 wrote to memory of 1792	1260	rundll32.exe	28
PID 1260 wrote to memory of 1792	1260	rundll32.exe	28
PID 1260 wrote to memory of 1792	1260	rundll32.exe	28
PID 1260 wrote to memory of 1792	1260	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\40a23b0fb20ebf7e31d104681ec2401e3ed259da942a66adc4961d5111efb59f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\40a23b0fb20ebf7e31d104681ec2401e3ed259da942a66adc4961d5111efb59f.dll,#1
  2⤵
  PID:1792

memory/1792-55-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download