yunsip | 49a71380f18c7a56816e4128fd21749d64c66742f9a65f6becca16a16caeac06

Analysis

max time kernel
71s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:56

Target

49a71380f18c7a56816e4128fd21749d64c66742f9a65f6becca16a16caeac06.dll
Size

512KB
MD5

74f363ed8bf52edc24129d3efcf979d0
SHA1

a81c5ad9891c4d31be2e060cc7d5c58bb9e151db
SHA256

49a71380f18c7a56816e4128fd21749d64c66742f9a65f6becca16a16caeac06
SHA512

ec157ef52c7e8e4c0f7df9b36f4e4ee7392928abb2c1ab74526226181611caa96887f4ebcfb3d01036a9053e97e9b1e931d6fb5e244a1d36c861b9f229447612
SSDEEP

3072:oDKpt9sSR0HUHPwZWLnWVfEAzV2INwTBftZmc+z+f3Q0y:oDgtfRQUHPw06MoV2swTBlxm8q

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 1544	340	rundll32.exe	28
PID 340 wrote to memory of 1544	340	rundll32.exe	28
PID 340 wrote to memory of 1544	340	rundll32.exe	28
PID 340 wrote to memory of 1544	340	rundll32.exe	28
PID 340 wrote to memory of 1544	340	rundll32.exe	28
PID 340 wrote to memory of 1544	340	rundll32.exe	28
PID 340 wrote to memory of 1544	340	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\49a71380f18c7a56816e4128fd21749d64c66742f9a65f6becca16a16caeac06.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\49a71380f18c7a56816e4128fd21749d64c66742f9a65f6becca16a16caeac06.dll,#1
  2⤵
  PID:1544

memory/1544-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download