yunsip | 076b28040f878e98a268316aef841e2d8d74953bd5ec56758f3bd52f9e160f47

Analysis

max time kernel
36s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 17:21

Target

076b28040f878e98a268316aef841e2d8d74953bd5ec56758f3bd52f9e160f47.dll
Size

241KB
MD5

2037bd20c7e77dcf9592544793a56c3d
SHA1

ce459ef044a2bb1afbc96a60a13954bd6e575c4b
SHA256

076b28040f878e98a268316aef841e2d8d74953bd5ec56758f3bd52f9e160f47
SHA512

7f6328557858fc4fd58e25c9cda49643f784631b42799ecbb7775f88c185c37e098ccd33f4ea486642a2513e01819d5eea14319b2ca11758ca35dce5ffa4111c
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDf:o6C5AXbMn7UI1FoV2gwTBlrIckPx

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1964	1324	rundll32.exe	28
PID 1324 wrote to memory of 1964	1324	rundll32.exe	28
PID 1324 wrote to memory of 1964	1324	rundll32.exe	28
PID 1324 wrote to memory of 1964	1324	rundll32.exe	28
PID 1324 wrote to memory of 1964	1324	rundll32.exe	28
PID 1324 wrote to memory of 1964	1324	rundll32.exe	28
PID 1324 wrote to memory of 1964	1324	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\076b28040f878e98a268316aef841e2d8d74953bd5ec56758f3bd52f9e160f47.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\076b28040f878e98a268316aef841e2d8d74953bd5ec56758f3bd52f9e160f47.dll,#1
  2⤵
  PID:1964

memory/1964-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download