yunsip | 3dc6d14bc48ee2892c12c2a83afea5be5a5fd3477c94eca1be2c7fc36559f610

Analysis

max time kernel
31s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:56

Target

3dc6d14bc48ee2892c12c2a83afea5be5a5fd3477c94eca1be2c7fc36559f610.dll
Size

548KB
MD5

663fca5dd1e11dd39cc4645fb320ffb0
SHA1

e92cf50896c250fde3022639557ba5dc3fdac09c
SHA256

3dc6d14bc48ee2892c12c2a83afea5be5a5fd3477c94eca1be2c7fc36559f610
SHA512

4373356cf5fab11cd8cb2cc73c98109ea4136a2b7620e6a6fcd65644b6e11232f35f49f19bfdc512f61d28d8dad55d83b89517d1f8b80c9775d8652b2fbbcb36
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0w:jDgtfRQUHPw06MoV2nwTBlhm8o

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1964	1988	rundll32.exe	26
PID 1988 wrote to memory of 1964	1988	rundll32.exe	26
PID 1988 wrote to memory of 1964	1988	rundll32.exe	26
PID 1988 wrote to memory of 1964	1988	rundll32.exe	26
PID 1988 wrote to memory of 1964	1988	rundll32.exe	26
PID 1988 wrote to memory of 1964	1988	rundll32.exe	26
PID 1988 wrote to memory of 1964	1988	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3dc6d14bc48ee2892c12c2a83afea5be5a5fd3477c94eca1be2c7fc36559f610.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3dc6d14bc48ee2892c12c2a83afea5be5a5fd3477c94eca1be2c7fc36559f610.dll,#1
  2⤵
  PID:1964

memory/1964-55-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download