yunsip | 79433f797916abe8b31e1e6b89f90fe9a089ba2efd794d1eb80770c1d7bf638e

Analysis

max time kernel
38s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:54

Target

79433f797916abe8b31e1e6b89f90fe9a089ba2efd794d1eb80770c1d7bf638e.dll
Size

485KB
MD5

34766dc224bf780507e42638494ee380
SHA1

13a6cef1172b4e099f6ebe07d29cce59b9896d3b
SHA256

79433f797916abe8b31e1e6b89f90fe9a089ba2efd794d1eb80770c1d7bf638e
SHA512

9af3fbbdabe01b78def8eaa121065bf81e4e69e7cb26c40f689ec83f6e817692d73a03119116b9378af22fb21d03b1d5e1ef51abde15e825a0406bb566dc1058
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0q:jDgtfRQUHPw06MoV2nwTBlhm8C

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1928	1948	rundll32.exe	27
PID 1948 wrote to memory of 1928	1948	rundll32.exe	27
PID 1948 wrote to memory of 1928	1948	rundll32.exe	27
PID 1948 wrote to memory of 1928	1948	rundll32.exe	27
PID 1948 wrote to memory of 1928	1948	rundll32.exe	27
PID 1948 wrote to memory of 1928	1948	rundll32.exe	27
PID 1948 wrote to memory of 1928	1948	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\79433f797916abe8b31e1e6b89f90fe9a089ba2efd794d1eb80770c1d7bf638e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\79433f797916abe8b31e1e6b89f90fe9a089ba2efd794d1eb80770c1d7bf638e.dll,#1
  2⤵
  PID:1928

memory/1928-55-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download