yunsip | d4835f01eec094d7b69606d7fd152b314976938e1cc588347c59d534cf407ea1

Analysis

max time kernel
17s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:50

Target

d4835f01eec094d7b69606d7fd152b314976938e1cc588347c59d534cf407ea1.dll
Size

356KB
MD5

18b6c681d44ccc9e782105805f84347e
SHA1

7a5389592ac6a762c8a50cc3dd6f96e79c063f7b
SHA256

d4835f01eec094d7b69606d7fd152b314976938e1cc588347c59d534cf407ea1
SHA512

b5ebc47dabb49a97e462f539386c7c10ab2aacb81b949b839a26a64f207c3d58e208cb5ad8296daf58af3cccc7365b0f93ba8e57cc22515c01c6c772e546c82e
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0d:jDgtfRQUHPw06MoV2nwTBlhm8V

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 968	1728	rundll32.exe	28
PID 1728 wrote to memory of 968	1728	rundll32.exe	28
PID 1728 wrote to memory of 968	1728	rundll32.exe	28
PID 1728 wrote to memory of 968	1728	rundll32.exe	28
PID 1728 wrote to memory of 968	1728	rundll32.exe	28
PID 1728 wrote to memory of 968	1728	rundll32.exe	28
PID 1728 wrote to memory of 968	1728	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d4835f01eec094d7b69606d7fd152b314976938e1cc588347c59d534cf407ea1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d4835f01eec094d7b69606d7fd152b314976938e1cc588347c59d534cf407ea1.dll,#1
  2⤵
  PID:968

memory/968-55-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download