yunsip | d8d79511f8fe70fb5fd5a5637818d5db8d570f6f136725913e8e24dc5071ed5f

Analysis

max time kernel
3s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 08:40

Target

d8d79511f8fe70fb5fd5a5637818d5db8d570f6f136725913e8e24dc5071ed5f.dll
Size

429KB
MD5

1793160b219c5b87342b1213683bfe80
SHA1

ac2287f59e52953cb659ec6a4b81cbbd66f028d2
SHA256

d8d79511f8fe70fb5fd5a5637818d5db8d570f6f136725913e8e24dc5071ed5f
SHA512

3a030f6aced84350ea85d5bd6c054ba3dc52c7eb238e8868fe530f52de9726cd2eead836c5b3198ce19ff7fcba7fa20f027a4b6614c76ebb0483d0bac785cd64
SSDEEP

3072:aDKpt9sSR0HUHPwZWLnWVfEAzV2IMwTBftZmc+z+f3Q0J:aDgtfRQUHPw06MoV2dwTBlxm8h

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 960	564	rundll32.exe	28
PID 564 wrote to memory of 960	564	rundll32.exe	28
PID 564 wrote to memory of 960	564	rundll32.exe	28
PID 564 wrote to memory of 960	564	rundll32.exe	28
PID 564 wrote to memory of 960	564	rundll32.exe	28
PID 564 wrote to memory of 960	564	rundll32.exe	28
PID 564 wrote to memory of 960	564	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d8d79511f8fe70fb5fd5a5637818d5db8d570f6f136725913e8e24dc5071ed5f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d8d79511f8fe70fb5fd5a5637818d5db8d570f6f136725913e8e24dc5071ed5f.dll,#1
  2⤵
  PID:960

memory/960-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download