yunsip | 331399dec1fcfedad29ee722e83a0a007c0027fe3840b4898c77007f3c8c58b4

Analysis

max time kernel
48s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 08:46

Target

331399dec1fcfedad29ee722e83a0a007c0027fe3840b4898c77007f3c8c58b4.dll
Size

511KB
MD5

cf272ccc82f2fd92967d6dced15551a0
SHA1

ba95df564c0de4dd6fcbd55f65bb693d716bdfd9
SHA256

331399dec1fcfedad29ee722e83a0a007c0027fe3840b4898c77007f3c8c58b4
SHA512

287599cd6f40896e27644d58dd5beb34e4865288bf8310c06463bd4fcb92ffc89bbabd75f3ffd5867b4596072582dc215d5be7eee0b070b64fac7e6da1008a37
SSDEEP

3072:oDKpt9sSR0HUHPwZWLnWVfEAzV2INwTBftZmc+z+f3Q0K:oDgtfRQUHPw06MoV2swTBlxm8C

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1524	1288	rundll32.exe	27
PID 1288 wrote to memory of 1524	1288	rundll32.exe	27
PID 1288 wrote to memory of 1524	1288	rundll32.exe	27
PID 1288 wrote to memory of 1524	1288	rundll32.exe	27
PID 1288 wrote to memory of 1524	1288	rundll32.exe	27
PID 1288 wrote to memory of 1524	1288	rundll32.exe	27
PID 1288 wrote to memory of 1524	1288	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\331399dec1fcfedad29ee722e83a0a007c0027fe3840b4898c77007f3c8c58b4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\331399dec1fcfedad29ee722e83a0a007c0027fe3840b4898c77007f3c8c58b4.dll,#1
  2⤵
  PID:1524

memory/1524-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download