yunsip | 0b4690a8997af10979d0f4d1a70e008a26a68df5d5c50f0190f21f7b6632767c

Analysis

max time kernel
154s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 12:56

Target

0b4690a8997af10979d0f4d1a70e008a26a68df5d5c50f0190f21f7b6632767c.dll
Size

324KB
MD5

a7330e7effd081a8e1a3d398af353e20
SHA1

f87e276adeb199a3cf3f732aab8b40ef78b024f9
SHA256

0b4690a8997af10979d0f4d1a70e008a26a68df5d5c50f0190f21f7b6632767c
SHA512

43597da36cb10286716a7b851e52d6952d9f3f2fe92d94dc3311f305d51b6338c6d27a61de56dadf802694d43999f241ae599e3f546f4dcc9907dbe577856c3f
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q06:jDgtfRQUHPw06MoV2nwTBlhm8y

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 760 wrote to memory of 3304	760	rundll32.exe	rundll32.exe
PID 760 wrote to memory of 3304	760	rundll32.exe	rundll32.exe
PID 760 wrote to memory of 3304	760	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b4690a8997af10979d0f4d1a70e008a26a68df5d5c50f0190f21f7b6632767c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b4690a8997af10979d0f4d1a70e008a26a68df5d5c50f0190f21f7b6632767c.dll,#1
2⤵
PID:3304