yunsip | 803401bdeaff7d2ba6ea4ee68351bbce9bdb2f3523f60d974ced72e6c80dd33e

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:54

Target

803401bdeaff7d2ba6ea4ee68351bbce9bdb2f3523f60d974ced72e6c80dd33e.dll
Size

607KB
MD5

d15af39586f75dc18571074238bc7850
SHA1

257bbec7e72ea30ba100c17ae80a11e75f3de562
SHA256

803401bdeaff7d2ba6ea4ee68351bbce9bdb2f3523f60d974ced72e6c80dd33e
SHA512

d050ae009359fbd07ef3c1b8b168435c468b0c1a4172586f08807e95afd0325523e96a2b99a78a768b2e6f396e47e5a44545eb5825355374f8796474888358fc
SSDEEP

3072:oDKpt9sSR0HUHPwZWLnWVfEAzV2INwTBftZmc+z+f3Q0D:oDgtfRQUHPw06MoV2swTBlxm87

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 328 wrote to memory of 852	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 852	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 852	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 852	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 852	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 852	328	rundll32.exe	rundll32.exe
PID 328 wrote to memory of 852	328	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\803401bdeaff7d2ba6ea4ee68351bbce9bdb2f3523f60d974ced72e6c80dd33e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\803401bdeaff7d2ba6ea4ee68351bbce9bdb2f3523f60d974ced72e6c80dd33e.dll,#1
2⤵
PID:852

memory/852-54-0x0000000000000000-mapping.dmp

Download
memory/852-55-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download