yunsip | 3849dbb0e89b780d356ba3ef06e2a7aea39f38d641725b755c504dc0fece8080

Analysis

max time kernel
145s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 08:46

Target

3849dbb0e89b780d356ba3ef06e2a7aea39f38d641725b755c504dc0fece8080.dll
Size

616KB
MD5

f63c8727f8f1c11ccaee4322af2e2b50
SHA1

83e309aa2994a80a234d4f34f31814a46732540a
SHA256

3849dbb0e89b780d356ba3ef06e2a7aea39f38d641725b755c504dc0fece8080
SHA512

01bcc8dfa7e476cbc7cebd4837c0500d3c4b000070dced5d9d25f98e5a719fe5f83552e84e3e21e11dac0eee8216bd9888b494aecd33584a52b2247ddbb2c51a
SSDEEP

3072:oDKpt9sSR0HUHPwZWLnWVfEAzV2INwTBftZmc+z+f3Q00:oDgtfRQUHPw06MoV2swTBlxm88

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 3624	2116	rundll32.exe	83
PID 2116 wrote to memory of 3624	2116	rundll32.exe	83
PID 2116 wrote to memory of 3624	2116	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3849dbb0e89b780d356ba3ef06e2a7aea39f38d641725b755c504dc0fece8080.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3849dbb0e89b780d356ba3ef06e2a7aea39f38d641725b755c504dc0fece8080.dll,#1
  2⤵
  PID:3624