yunsip | 3e48e87813c100363cd0df6659a9dd9b9d481d4f47919ac0698c7b83930d096a

Analysis

max time kernel
45s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:56

Target

3e48e87813c100363cd0df6659a9dd9b9d481d4f47919ac0698c7b83930d096a.dll
Size

280KB
MD5

2fc145976be49b8e5de37c6ec04fd4a0
SHA1

c5ee7206734edb9c4b0a1e5189ea421e44c7a92e
SHA256

3e48e87813c100363cd0df6659a9dd9b9d481d4f47919ac0698c7b83930d096a
SHA512

420076acd02c2c1826e6ed3534744566ce1589e98573c8492e9cc534c83f7619f5ad2db936ebc177c50f7039b5037eefa02063ca72f0ccc49977cadc9c9eac49
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0v:jDgtfRQUHPw06MoV2nwTBlhm83

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27
PID 1444 wrote to memory of 1948	1444	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e48e87813c100363cd0df6659a9dd9b9d481d4f47919ac0698c7b83930d096a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e48e87813c100363cd0df6659a9dd9b9d481d4f47919ac0698c7b83930d096a.dll,#1
  2⤵
  PID:1948

memory/1948-55-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download