yunsip | 4c5cee68a57b0c43302541f6b89d496d667f6d79b321b8865468ed2222b99ebe

Analysis

max time kernel
40s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 22:03

Target

4c5cee68a57b0c43302541f6b89d496d667f6d79b321b8865468ed2222b99ebe.dll
Size

216KB
MD5

a70b70c5030d4c4cc42b5d1638a35680
SHA1

d6a2772f97b45e659bd49d880ba15ab8a183ea37
SHA256

4c5cee68a57b0c43302541f6b89d496d667f6d79b321b8865468ed2222b99ebe
SHA512

9d13ec22888c716b2be3952be25b9fdf872855bb5aab38e9db3b116f5658155cb21943bd8212757897b1cd874982c062d58a8ced968cae85eadec6a0a3c70d10
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0f:jDgtfRQUHPw06MoV2nwTBlhm83

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28
PID 1788 wrote to memory of 1960	1788	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c5cee68a57b0c43302541f6b89d496d667f6d79b321b8865468ed2222b99ebe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c5cee68a57b0c43302541f6b89d496d667f6d79b321b8865468ed2222b99ebe.dll,#1
  2⤵
  PID:1960

memory/1960-55-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download