yunsip | f0c6f15eff9734eba6fe8083eebbff6c336cae085eb259a809c5228aa6ac011d

Analysis

max time kernel
324s
max time network
435s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 21:58

Target

f0c6f15eff9734eba6fe8083eebbff6c336cae085eb259a809c5228aa6ac011d.dll
Size

541KB
MD5

94d5e215e766ffdc0185c0c7f46baaa0
SHA1

9c3111c6d06eaf28696dd07270519bc3227d19e4
SHA256

f0c6f15eff9734eba6fe8083eebbff6c336cae085eb259a809c5228aa6ac011d
SHA512

29c0ca0e6ac22c7b673dd3c5683221eca3830029a937a3c964cb073c5331f7f27f9724d72858ac9ebfa3d604f3c34f68489094af441fe492a8d691aba2582060
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0i:jDgtfRQUHPw06MoV2nwTBlhm8q

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 4596	4612	rundll32.exe	79
PID 4612 wrote to memory of 4596	4612	rundll32.exe	79
PID 4612 wrote to memory of 4596	4612	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f0c6f15eff9734eba6fe8083eebbff6c336cae085eb259a809c5228aa6ac011d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f0c6f15eff9734eba6fe8083eebbff6c336cae085eb259a809c5228aa6ac011d.dll,#1
  2⤵
  PID:4596