yunsip | cd7caf601f2621dbff929f67d15a49c482f66cf348bfb8ab7a273b35632a76e1

Analysis

max time kernel
82s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 21:59

Target

cd7caf601f2621dbff929f67d15a49c482f66cf348bfb8ab7a273b35632a76e1.dll
Size

317KB
MD5

33dfb1986a1003f8d7fcb91804ba1988
SHA1

b4c1f201cf24c9b23dfc1e4572d831d6fdeab69a
SHA256

cd7caf601f2621dbff929f67d15a49c482f66cf348bfb8ab7a273b35632a76e1
SHA512

b5372d098ce593b5e239e74622daf18650f55c0d80ae49bbb4ea3961d0f0ae11eb90cb6a59396e8c70bbb7ed70fb0a78d0fa65ec6cec32a29fef982b2f991a1c
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q08:jDgtfRQUHPw06MoV2nwTBlhm8k

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1068	1164	rundll32.exe	28
PID 1164 wrote to memory of 1068	1164	rundll32.exe	28
PID 1164 wrote to memory of 1068	1164	rundll32.exe	28
PID 1164 wrote to memory of 1068	1164	rundll32.exe	28
PID 1164 wrote to memory of 1068	1164	rundll32.exe	28
PID 1164 wrote to memory of 1068	1164	rundll32.exe	28
PID 1164 wrote to memory of 1068	1164	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd7caf601f2621dbff929f67d15a49c482f66cf348bfb8ab7a273b35632a76e1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd7caf601f2621dbff929f67d15a49c482f66cf348bfb8ab7a273b35632a76e1.dll,#1
  2⤵
  PID:1068

memory/1068-55-0x0000000075151000-0x0000000075153000-memory.dmp

Filesize
8KB

Download