yunsip | 8f0af7aaeec74445d2eed7aafaa3953918149bc714bbf8cb13a721ca0b469f16

Analysis

max time kernel
25s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 08:43

Target

8f0af7aaeec74445d2eed7aafaa3953918149bc714bbf8cb13a721ca0b469f16.dll
Size

209KB
MD5

1cf8f0a7d0ec06561c2135e2f527c705
SHA1

6ce3fc29d7b26115ce7b5967b2cebce7064fc640
SHA256

8f0af7aaeec74445d2eed7aafaa3953918149bc714bbf8cb13a721ca0b469f16
SHA512

c6c91a771104f5cf33bcb7a0727244c9bda17acfb2ece342677de740bb641c492b815bd6d5b5a309593bc77362c66f62d07fd45cd8e95a1e849f4cc902c4862f
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0T:jDgtfRQUHPw06MoV2nwTBlhm8L

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 1516	616	rundll32.exe	27
PID 616 wrote to memory of 1516	616	rundll32.exe	27
PID 616 wrote to memory of 1516	616	rundll32.exe	27
PID 616 wrote to memory of 1516	616	rundll32.exe	27
PID 616 wrote to memory of 1516	616	rundll32.exe	27
PID 616 wrote to memory of 1516	616	rundll32.exe	27
PID 616 wrote to memory of 1516	616	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f0af7aaeec74445d2eed7aafaa3953918149bc714bbf8cb13a721ca0b469f16.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f0af7aaeec74445d2eed7aafaa3953918149bc714bbf8cb13a721ca0b469f16.dll,#1
  2⤵
  PID:1516

memory/1516-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download