yunsip | 4a1b977d36bfa87e86463e6f7057462c013d955d48ca20d2fa741156e299b892

Analysis

max time kernel
13s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 08:46

Target

4a1b977d36bfa87e86463e6f7057462c013d955d48ca20d2fa741156e299b892.dll
Size

575KB
MD5

331b943a367fc823c8e2280b34da4640
SHA1

0ee280f60abc03f0a857087f8df7cd6516bde2b4
SHA256

4a1b977d36bfa87e86463e6f7057462c013d955d48ca20d2fa741156e299b892
SHA512

f1c83e4db84b4d40ffde8dc7ffefd1d6e645dabecde5de005f3960924b0bcbc67a79ab40c499713b758362a7fb6a3022b420e6247bd17a71adf28762f295040a
SSDEEP

3072:oDKpt9sSR0HUHPwZWLnWVfEAzV2INwTBftZmc+z+f3Q0E:oDgtfRQUHPw06MoV2swTBlxm8s

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 912 wrote to memory of 1284	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1284	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1284	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1284	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1284	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1284	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1284	912	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a1b977d36bfa87e86463e6f7057462c013d955d48ca20d2fa741156e299b892.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a1b977d36bfa87e86463e6f7057462c013d955d48ca20d2fa741156e299b892.dll,#1
2⤵
PID:1284

memory/1284-54-0x0000000000000000-mapping.dmp

Download
memory/1284-55-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download