yunsip | c51d4514e9cbd14ce193c47bfe548eb607e408d63368f897d6a45ce519aae4d3

Analysis

max time kernel
48s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 02:43

Target

c51d4514e9cbd14ce193c47bfe548eb607e408d63368f897d6a45ce519aae4d3.dll
Size

215KB
MD5

e7ccc9360ab7be9f919eaf5a0af64e0f
SHA1

9d97fedea35c0d2de430903bf28066f222248f7a
SHA256

c51d4514e9cbd14ce193c47bfe548eb607e408d63368f897d6a45ce519aae4d3
SHA512

f1c159a200708f50651bd2aa18685d29e048c651db2e36d42b7b970390125833e91724d103ffea0a98861c11ec1ef7fb55776f58ae4eb03d559351eba5e80978
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0y:jDgtfRQUHPw06MoV2nwTBlhm86

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1376 wrote to memory of 840	1376	rundll32.exe	rundll32.exe
PID 1376 wrote to memory of 840	1376	rundll32.exe	rundll32.exe
PID 1376 wrote to memory of 840	1376	rundll32.exe	rundll32.exe
PID 1376 wrote to memory of 840	1376	rundll32.exe	rundll32.exe
PID 1376 wrote to memory of 840	1376	rundll32.exe	rundll32.exe
PID 1376 wrote to memory of 840	1376	rundll32.exe	rundll32.exe
PID 1376 wrote to memory of 840	1376	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c51d4514e9cbd14ce193c47bfe548eb607e408d63368f897d6a45ce519aae4d3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c51d4514e9cbd14ce193c47bfe548eb607e408d63368f897d6a45ce519aae4d3.dll,#1
2⤵
PID:840

memory/840-54-0x0000000000000000-mapping.dmp

Download
memory/840-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download