yunsip | 35a4f50316f1de8ae45ac2dc070e6fb74f7edb8fe6e470b9963da6ae59313bc5

Analysis

max time kernel
171s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 17:21

Target

35a4f50316f1de8ae45ac2dc070e6fb74f7edb8fe6e470b9963da6ae59313bc5.dll
Size

827KB
MD5

21498ab70f980a9b884ba59721d08c20
SHA1

123e3a52c7ec27b1f2863b3236301b24ce96c3b4
SHA256

35a4f50316f1de8ae45ac2dc070e6fb74f7edb8fe6e470b9963da6ae59313bc5
SHA512

b924e041e77069e449c66e12c5ad9ba9320800456e9dd79baed0da0a51c3c511ef551cf2b7adc98cefa7c6969a982cf416694b661414ca9df64b7c2338617641
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYD:o6RI1Fo/wT3cJYYYYYYYYYYYYD

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 308 wrote to memory of 3984	308	rundll32.exe	rundll32.exe
PID 308 wrote to memory of 3984	308	rundll32.exe	rundll32.exe
PID 308 wrote to memory of 3984	308	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\35a4f50316f1de8ae45ac2dc070e6fb74f7edb8fe6e470b9963da6ae59313bc5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\35a4f50316f1de8ae45ac2dc070e6fb74f7edb8fe6e470b9963da6ae59313bc5.dll,#1
2⤵
PID:3984