yunsip | 6b1fc11a3e66a0eeb933b24aa199ced172a249890eaf85d90c1ef3fc395c1a3d

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 17:21

Target

6b1fc11a3e66a0eeb933b24aa199ced172a249890eaf85d90c1ef3fc395c1a3d.dll
Size

982KB
MD5

0a59cea951a8170d66e3921177bfd91c
SHA1

00432636035643b4aeeb097543d2f7a75d2f4f65
SHA256

6b1fc11a3e66a0eeb933b24aa199ced172a249890eaf85d90c1ef3fc395c1a3d
SHA512

3cd2818ca629cf8f35c7bec8f7061b92cb8fa4f4694c1e33937462a953b8ac722f06c3832eff415031049dd1177fdeee6b49ba791d37ff5d6cdbd0aefddf32e0
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZD6:o6C5AXbMn7UI1FoV2gwTBlrIckPs

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1600 wrote to memory of 1396	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 1396	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 1396	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 1396	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 1396	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 1396	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 1396	1600	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b1fc11a3e66a0eeb933b24aa199ced172a249890eaf85d90c1ef3fc395c1a3d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b1fc11a3e66a0eeb933b24aa199ced172a249890eaf85d90c1ef3fc395c1a3d.dll,#1
2⤵
PID:1396

memory/1396-54-0x0000000000000000-mapping.dmp

Download
memory/1396-55-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download