yunsip | 6b1fc11a3e66a0eeb933b24aa199ced172a249890eaf85d90c1ef3fc395c1a3d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 17:21

Target

6b1fc11a3e66a0eeb933b24aa199ced172a249890eaf85d90c1ef3fc395c1a3d.dll
Size

982KB
MD5

0a59cea951a8170d66e3921177bfd91c
SHA1

00432636035643b4aeeb097543d2f7a75d2f4f65
SHA256

6b1fc11a3e66a0eeb933b24aa199ced172a249890eaf85d90c1ef3fc395c1a3d
SHA512

3cd2818ca629cf8f35c7bec8f7061b92cb8fa4f4694c1e33937462a953b8ac722f06c3832eff415031049dd1177fdeee6b49ba791d37ff5d6cdbd0aefddf32e0
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZD6:o6C5AXbMn7UI1FoV2gwTBlrIckPs

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4756	5056	rundll32.exe	84
PID 5056 wrote to memory of 4756	5056	rundll32.exe	84
PID 5056 wrote to memory of 4756	5056	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b1fc11a3e66a0eeb933b24aa199ced172a249890eaf85d90c1ef3fc395c1a3d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b1fc11a3e66a0eeb933b24aa199ced172a249890eaf85d90c1ef3fc395c1a3d.dll,#1
  2⤵
  PID:4756