yunsip | 11dfdc2c94b4fd29b3abdd0e59548279773ca591e6ee989515a58532758de2a8

Analysis

max time kernel
48s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:56

Target

11dfdc2c94b4fd29b3abdd0e59548279773ca591e6ee989515a58532758de2a8.dll
Size

231KB
MD5

73172eb205e7be53c8650181fa90f330
SHA1

2c1e33272826b529def3c1ff6164d6d0b3ce319d
SHA256

11dfdc2c94b4fd29b3abdd0e59548279773ca591e6ee989515a58532758de2a8
SHA512

c708629b5991da4fcd3d23afaeac20742ceb33eca7d8d952986f1572d8ea9601479b692dab8af0d3ea7054d250a8bb03b39a968f6b2fd66a02795e15db62d784
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0J:jDgtfRQUHPw06MoV2nwTBlhm8R

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 1256	1564	rundll32.exe	26
PID 1564 wrote to memory of 1256	1564	rundll32.exe	26
PID 1564 wrote to memory of 1256	1564	rundll32.exe	26
PID 1564 wrote to memory of 1256	1564	rundll32.exe	26
PID 1564 wrote to memory of 1256	1564	rundll32.exe	26
PID 1564 wrote to memory of 1256	1564	rundll32.exe	26
PID 1564 wrote to memory of 1256	1564	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11dfdc2c94b4fd29b3abdd0e59548279773ca591e6ee989515a58532758de2a8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\11dfdc2c94b4fd29b3abdd0e59548279773ca591e6ee989515a58532758de2a8.dll,#1
  2⤵
  PID:1256

memory/1256-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download