yunsip | 908c33ff27e37c9e9f90bb333eb10ed8990e432ffec2b9e71501357a108f33f2

Analysis

max time kernel
11s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:53

Target

908c33ff27e37c9e9f90bb333eb10ed8990e432ffec2b9e71501357a108f33f2.dll
Size

251KB
MD5

b149c054688c5631390ea0529350c820
SHA1

ce2498dbbaf2a63ae9de6f3b6a0573214448f206
SHA256

908c33ff27e37c9e9f90bb333eb10ed8990e432ffec2b9e71501357a108f33f2
SHA512

f8d3ccb5910d2f8730fa7485dea68edc364c8b0e21bab737b19c9a6eebf6e76f451dbb2f24b91fe8ffd7456d81276f9d2951b105664386c05537ededc9aeb04e
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0E:jDgtfRQUHPw06MoV2nwTBlhm8c

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1732	1636	rundll32.exe	27
PID 1636 wrote to memory of 1732	1636	rundll32.exe	27
PID 1636 wrote to memory of 1732	1636	rundll32.exe	27
PID 1636 wrote to memory of 1732	1636	rundll32.exe	27
PID 1636 wrote to memory of 1732	1636	rundll32.exe	27
PID 1636 wrote to memory of 1732	1636	rundll32.exe	27
PID 1636 wrote to memory of 1732	1636	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\908c33ff27e37c9e9f90bb333eb10ed8990e432ffec2b9e71501357a108f33f2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\908c33ff27e37c9e9f90bb333eb10ed8990e432ffec2b9e71501357a108f33f2.dll,#1
  2⤵
  PID:1732

memory/1732-55-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download