yunsip | f9b594774c6c9ec8aa4c2b67b2008e306c23ba94905c7f9868e754651130464f

Analysis

max time kernel
34s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 02:42

Target

f9b594774c6c9ec8aa4c2b67b2008e306c23ba94905c7f9868e754651130464f.dll
Size

235KB
MD5

0e3705fae4e53ed938fb4a24d04f0ef3
SHA1

4311b59c2ac76f38753c8ff3bdb9bc547fe380c3
SHA256

f9b594774c6c9ec8aa4c2b67b2008e306c23ba94905c7f9868e754651130464f
SHA512

cc93708a3f403a5e621e11d4e9529753d010dbb8357dccb04b79ef331266d6568a45c35c273ddfe0d3f4297b77092ba70c75ec8418840a0a0c340881df00ba79
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0f:jDgtfRQUHPw06MoV2nwTBlhm83

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 784 wrote to memory of 2032	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 2032	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 2032	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 2032	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 2032	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 2032	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 2032	784	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f9b594774c6c9ec8aa4c2b67b2008e306c23ba94905c7f9868e754651130464f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f9b594774c6c9ec8aa4c2b67b2008e306c23ba94905c7f9868e754651130464f.dll,#1
2⤵
PID:2032

memory/2032-54-0x0000000000000000-mapping.dmp

Download
memory/2032-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download