yunsip | 344463963ed0c758f4a1201242e8f68ef72d3c87376ca8f4d9ec170e140df29b

Analysis

max time kernel
23s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:56

Target

344463963ed0c758f4a1201242e8f68ef72d3c87376ca8f4d9ec170e140df29b.dll
Size

306KB
MD5

d1bdd603b433afc8adaa3ebc391401c0
SHA1

8dd39d04c7916390090a1672c157a5df7c9c2cc9
SHA256

344463963ed0c758f4a1201242e8f68ef72d3c87376ca8f4d9ec170e140df29b
SHA512

1cb62f440f4804adaa27f54f85ac4d93d736f5b09864376d428d406ec18ba0b6a3725d222161b75c552a17455fbfea7284a822c6416ec8bc24d213b0e8f464ef
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0W:jDgtfRQUHPw06MoV2nwTBlhm8O

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 892 wrote to memory of 1220	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 1220	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 1220	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 1220	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 1220	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 1220	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 1220	892	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\344463963ed0c758f4a1201242e8f68ef72d3c87376ca8f4d9ec170e140df29b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\344463963ed0c758f4a1201242e8f68ef72d3c87376ca8f4d9ec170e140df29b.dll,#1
2⤵
PID:1220

memory/1220-54-0x0000000000000000-mapping.dmp

Download
memory/1220-55-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download