yunsip | d163d4765113fcf0a5c5e7a6e4d777082d10cf52db711afc698416ccb714b55a

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 21:59

Target

d163d4765113fcf0a5c5e7a6e4d777082d10cf52db711afc698416ccb714b55a.dll
Size

200KB
MD5

bce60ef8fe41e9c4ad1312e28e922000
SHA1

b369a5144f86f5064a6307c17e6b4a039ad847d3
SHA256

d163d4765113fcf0a5c5e7a6e4d777082d10cf52db711afc698416ccb714b55a
SHA512

cd639a7ba7a48272d805959b064b69cdc23aa947dc72055ca32eb0a84a30e8d7fcd657f8f21a1f7e496e5e12425e495fc4dd1eee362a46a451b378b84fa6c472
SSDEEP

3072:ZDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q03:ZDgtfRQUHPw06MoV2nwTBlhm8P

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1416	900	rundll32.exe	27
PID 900 wrote to memory of 1416	900	rundll32.exe	27
PID 900 wrote to memory of 1416	900	rundll32.exe	27
PID 900 wrote to memory of 1416	900	rundll32.exe	27
PID 900 wrote to memory of 1416	900	rundll32.exe	27
PID 900 wrote to memory of 1416	900	rundll32.exe	27
PID 900 wrote to memory of 1416	900	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d163d4765113fcf0a5c5e7a6e4d777082d10cf52db711afc698416ccb714b55a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d163d4765113fcf0a5c5e7a6e4d777082d10cf52db711afc698416ccb714b55a.dll,#1
  2⤵
  PID:1416

memory/1416-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download