yunsip | f47f436364234ec9b38efb1b581d7c251464f7f56667d648af13b98318becbb7

Analysis

max time kernel
2s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 02:42

Target

f47f436364234ec9b38efb1b581d7c251464f7f56667d648af13b98318becbb7.dll
Size

379KB
MD5

3f535a9bfc21fd547bbcb3a0f2771000
SHA1

94fba08f53e729d5cf0e2c7b691121634e7f3623
SHA256

f47f436364234ec9b38efb1b581d7c251464f7f56667d648af13b98318becbb7
SHA512

cee618e3d36c4a327fa04014556b9f9aa6a8bffb54a6dd593d5a9e5b306ad82aaafe21dd50e0ad9b729d0d874f650fad1240c9b70d627f3866c168a9bd3d208e
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0s:jDgtfRQUHPw06MoV2nwTBlhm8E

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 964	1948	rundll32.exe	28
PID 1948 wrote to memory of 964	1948	rundll32.exe	28
PID 1948 wrote to memory of 964	1948	rundll32.exe	28
PID 1948 wrote to memory of 964	1948	rundll32.exe	28
PID 1948 wrote to memory of 964	1948	rundll32.exe	28
PID 1948 wrote to memory of 964	1948	rundll32.exe	28
PID 1948 wrote to memory of 964	1948	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f47f436364234ec9b38efb1b581d7c251464f7f56667d648af13b98318becbb7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f47f436364234ec9b38efb1b581d7c251464f7f56667d648af13b98318becbb7.dll,#1
  2⤵
  PID:964

memory/964-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download