yunsip | 749a0eb81a7fb2c9f1bcac521be52b63fc01d7f28ec93a422cd924e0c76d9778

Analysis

max time kernel
249s
max time network
325s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 12:54

Target

749a0eb81a7fb2c9f1bcac521be52b63fc01d7f28ec93a422cd924e0c76d9778.dll
Size

249KB
MD5

6988b6d11cb1427fe3380a024bc99d16
SHA1

72f908656fe4d17c4e79b2b0c5355e5a173d6f18
SHA256

749a0eb81a7fb2c9f1bcac521be52b63fc01d7f28ec93a422cd924e0c76d9778
SHA512

742e73def3d691e1b88b064be296cd9e62a9e43eb737a4083824e596bd5bd6e073adcbec3584d5851bd0f928ed2b818e37c374029ae15524bcd774c62dc2a025
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0k:jDgtfRQUHPw06MoV2nwTBlhm8M

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 4068	1088	rundll32.exe	80
PID 1088 wrote to memory of 4068	1088	rundll32.exe	80
PID 1088 wrote to memory of 4068	1088	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\749a0eb81a7fb2c9f1bcac521be52b63fc01d7f28ec93a422cd924e0c76d9778.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\749a0eb81a7fb2c9f1bcac521be52b63fc01d7f28ec93a422cd924e0c76d9778.dll,#1
  2⤵
  PID:4068