yunsip | 41400e5183343536cb80fc20c4b1d00264c5baa8a00a4648d63fb80918c33bcc

Analysis

max time kernel
39s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 22:04

Target

41400e5183343536cb80fc20c4b1d00264c5baa8a00a4648d63fb80918c33bcc.dll
Size

591KB
MD5

e568fc2e595c6d3562cf63a126e28280
SHA1

f4adb318543bcc0f9e52ac218e0ccbef4936c60b
SHA256

41400e5183343536cb80fc20c4b1d00264c5baa8a00a4648d63fb80918c33bcc
SHA512

0f25a32bade86509e4afcf2b66e80f3d15807249d7fa9e4c87a8ae2a7c26b36c54b48ac0456ab006638cc7ceab5f4358f91ae06dbffee309ef84dfd2820af54e
SSDEEP

3072:oDKpt9sSR0HUHPwZWLnWVfEAzV2INwTBftZmc+z+f3Q0H:oDgtfRQUHPw06MoV2swTBlxm8v

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1852	2036	rundll32.exe	28
PID 2036 wrote to memory of 1852	2036	rundll32.exe	28
PID 2036 wrote to memory of 1852	2036	rundll32.exe	28
PID 2036 wrote to memory of 1852	2036	rundll32.exe	28
PID 2036 wrote to memory of 1852	2036	rundll32.exe	28
PID 2036 wrote to memory of 1852	2036	rundll32.exe	28
PID 2036 wrote to memory of 1852	2036	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\41400e5183343536cb80fc20c4b1d00264c5baa8a00a4648d63fb80918c33bcc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\41400e5183343536cb80fc20c4b1d00264c5baa8a00a4648d63fb80918c33bcc.dll,#1
  2⤵
  PID:1852

memory/1852-55-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download