yunsip | c51d4514e9cbd14ce193c47bfe548eb607e408d63368f897d6a45ce519aae4d3

Analysis

max time kernel
48s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 02:43

Target

c51d4514e9cbd14ce193c47bfe548eb607e408d63368f897d6a45ce519aae4d3.dll
Size

215KB
MD5

e7ccc9360ab7be9f919eaf5a0af64e0f
SHA1

9d97fedea35c0d2de430903bf28066f222248f7a
SHA256

c51d4514e9cbd14ce193c47bfe548eb607e408d63368f897d6a45ce519aae4d3
SHA512

f1c159a200708f50651bd2aa18685d29e048c651db2e36d42b7b970390125833e91724d103ffea0a98861c11ec1ef7fb55776f58ae4eb03d559351eba5e80978
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0y:jDgtfRQUHPw06MoV2nwTBlhm86

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 840	1376	rundll32.exe	26
PID 1376 wrote to memory of 840	1376	rundll32.exe	26
PID 1376 wrote to memory of 840	1376	rundll32.exe	26
PID 1376 wrote to memory of 840	1376	rundll32.exe	26
PID 1376 wrote to memory of 840	1376	rundll32.exe	26
PID 1376 wrote to memory of 840	1376	rundll32.exe	26
PID 1376 wrote to memory of 840	1376	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c51d4514e9cbd14ce193c47bfe548eb607e408d63368f897d6a45ce519aae4d3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c51d4514e9cbd14ce193c47bfe548eb607e408d63368f897d6a45ce519aae4d3.dll,#1
  2⤵
  PID:840

memory/840-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download