yunsip | 5a8c8e33ff027972bfd31369993f6c989cc84cc581a7c503c4569d6c36d3352b

Analysis

max time kernel
167s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 22:03

Target

5a8c8e33ff027972bfd31369993f6c989cc84cc581a7c503c4569d6c36d3352b.dll
Size

197KB
MD5

5383e0818175a2414deb01e3cfa1d707
SHA1

5e41bd1408c84bc15f9c9ccf1f379263ed06d4d3
SHA256

5a8c8e33ff027972bfd31369993f6c989cc84cc581a7c503c4569d6c36d3352b
SHA512

2bb3039f613edb1c432c4e38b1e4654f157c9922db9464a3f7b68a2d3d4fc01a44a9b2b3baf31bab8a4183d62de35517066b8b226496452614211af0b7c6d3bd
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q07:jDgtfRQUHPw06MoV2nwTBlhm8z

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 728	5092	rundll32.exe	83
PID 5092 wrote to memory of 728	5092	rundll32.exe	83
PID 5092 wrote to memory of 728	5092	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a8c8e33ff027972bfd31369993f6c989cc84cc581a7c503c4569d6c36d3352b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a8c8e33ff027972bfd31369993f6c989cc84cc581a7c503c4569d6c36d3352b.dll,#1
  2⤵
  PID:728