yunsip | 0b4690a8997af10979d0f4d1a70e008a26a68df5d5c50f0190f21f7b6632767c

Analysis

max time kernel
55s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:56

Target

0b4690a8997af10979d0f4d1a70e008a26a68df5d5c50f0190f21f7b6632767c.dll
Size

324KB
MD5

a7330e7effd081a8e1a3d398af353e20
SHA1

f87e276adeb199a3cf3f732aab8b40ef78b024f9
SHA256

0b4690a8997af10979d0f4d1a70e008a26a68df5d5c50f0190f21f7b6632767c
SHA512

43597da36cb10286716a7b851e52d6952d9f3f2fe92d94dc3311f305d51b6338c6d27a61de56dadf802694d43999f241ae599e3f546f4dcc9907dbe577856c3f
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q06:jDgtfRQUHPw06MoV2nwTBlhm8y

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 952	996	rundll32.exe	28
PID 996 wrote to memory of 952	996	rundll32.exe	28
PID 996 wrote to memory of 952	996	rundll32.exe	28
PID 996 wrote to memory of 952	996	rundll32.exe	28
PID 996 wrote to memory of 952	996	rundll32.exe	28
PID 996 wrote to memory of 952	996	rundll32.exe	28
PID 996 wrote to memory of 952	996	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b4690a8997af10979d0f4d1a70e008a26a68df5d5c50f0190f21f7b6632767c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b4690a8997af10979d0f4d1a70e008a26a68df5d5c50f0190f21f7b6632767c.dll,#1
  2⤵
  PID:952

memory/952-55-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download