yunsip | 2f918a21b1b7fca8e82505e279cdd7e1b9f40a5d7c8d7bcab15c74b20bcc75ce

Analysis

max time kernel
7s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 22:04

Target

2f918a21b1b7fca8e82505e279cdd7e1b9f40a5d7c8d7bcab15c74b20bcc75ce.dll
Size

278KB
MD5

38fc660535427fedfce7702938a3a930
SHA1

f8409fd6aac6d9eb76d00095c5edf85a02e1ab9b
SHA256

2f918a21b1b7fca8e82505e279cdd7e1b9f40a5d7c8d7bcab15c74b20bcc75ce
SHA512

b97c3e073eb030764515e2b73e61c0d98871ac15a298fddf92935490d6e6b217a908e0cb8b474aebc83ccde8362be54543c141b18dda65b4e22601304aa3e30f
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0q:jDgtfRQUHPw06MoV2nwTBlhm8y

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 240	964	rundll32.exe	28
PID 964 wrote to memory of 240	964	rundll32.exe	28
PID 964 wrote to memory of 240	964	rundll32.exe	28
PID 964 wrote to memory of 240	964	rundll32.exe	28
PID 964 wrote to memory of 240	964	rundll32.exe	28
PID 964 wrote to memory of 240	964	rundll32.exe	28
PID 964 wrote to memory of 240	964	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f918a21b1b7fca8e82505e279cdd7e1b9f40a5d7c8d7bcab15c74b20bcc75ce.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f918a21b1b7fca8e82505e279cdd7e1b9f40a5d7c8d7bcab15c74b20bcc75ce.dll,#1
  2⤵
  PID:240

memory/240-55-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download