yunsip | 967f398e78ae8f050cb87808ad5a3df9c471ebf7c04b0632e3b19454922f7395

Analysis

max time kernel
70s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 08:43

Target

967f398e78ae8f050cb87808ad5a3df9c471ebf7c04b0632e3b19454922f7395.dll
Size

530KB
MD5

1fb3b13f88c22618cf29492647e570f0
SHA1

4bc977e3c4da630b2b784d81c0b209ccdbaf009e
SHA256

967f398e78ae8f050cb87808ad5a3df9c471ebf7c04b0632e3b19454922f7395
SHA512

db64689d277d66b5e41cb2ebb2e69ee0d5a07320d03e5761ff3abfb8a9555f175efc8776b329014ed12d1c8f74315841d4281db357b52d2d4af599382a67418b
SSDEEP

3072:oDKpt9sSR0HUHPwZWLnWVfEAzV2INwTBftZmc+z+f3Q0N:oDgtfRQUHPw06MoV2swTBlxm8l

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1980	2020	rundll32.exe	28
PID 2020 wrote to memory of 1980	2020	rundll32.exe	28
PID 2020 wrote to memory of 1980	2020	rundll32.exe	28
PID 2020 wrote to memory of 1980	2020	rundll32.exe	28
PID 2020 wrote to memory of 1980	2020	rundll32.exe	28
PID 2020 wrote to memory of 1980	2020	rundll32.exe	28
PID 2020 wrote to memory of 1980	2020	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\967f398e78ae8f050cb87808ad5a3df9c471ebf7c04b0632e3b19454922f7395.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\967f398e78ae8f050cb87808ad5a3df9c471ebf7c04b0632e3b19454922f7395.dll,#1
  2⤵
  PID:1980

memory/1980-55-0x00000000763A1000-0x00000000763A3000-memory.dmp

Filesize
8KB

Download