yunsip | 49a71380f18c7a56816e4128fd21749d64c66742f9a65f6becca16a16caeac06

Analysis

max time kernel
196s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 12:56

Target

49a71380f18c7a56816e4128fd21749d64c66742f9a65f6becca16a16caeac06.dll
Size

512KB
MD5

74f363ed8bf52edc24129d3efcf979d0
SHA1

a81c5ad9891c4d31be2e060cc7d5c58bb9e151db
SHA256

49a71380f18c7a56816e4128fd21749d64c66742f9a65f6becca16a16caeac06
SHA512

ec157ef52c7e8e4c0f7df9b36f4e4ee7392928abb2c1ab74526226181611caa96887f4ebcfb3d01036a9053e97e9b1e931d6fb5e244a1d36c861b9f229447612
SSDEEP

3072:oDKpt9sSR0HUHPwZWLnWVfEAzV2INwTBftZmc+z+f3Q0y:oDgtfRQUHPw06MoV2swTBlxm8q

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 1536	224	rundll32.exe	81
PID 224 wrote to memory of 1536	224	rundll32.exe	81
PID 224 wrote to memory of 1536	224	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\49a71380f18c7a56816e4128fd21749d64c66742f9a65f6becca16a16caeac06.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\49a71380f18c7a56816e4128fd21749d64c66742f9a65f6becca16a16caeac06.dll,#1
  2⤵
  PID:1536