yunsip | b4afa6e5ddfcb3dd04cab7161b5f3947e602d65fdfb450fabf3f49c373b9bf0c

Analysis

max time kernel
90s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 02:44

Target

b4afa6e5ddfcb3dd04cab7161b5f3947e602d65fdfb450fabf3f49c373b9bf0c.dll
Size

300KB
MD5

a6df570744da7f07b4ab6b0e8559e271
SHA1

3cd78c9f101a507f12fceb2bc2b44a11e573a6f9
SHA256

b4afa6e5ddfcb3dd04cab7161b5f3947e602d65fdfb450fabf3f49c373b9bf0c
SHA512

7230cdee5d223a261402f1f4f22f0bee89e75e590b7cd06f374ed58c8ec96e1c824d47a722bb97d6c195f517736ed9f4d1bd33dc01fb807932559a63340845e7
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q08:jDgtfRQUHPw06MoV2nwTBlhm8E

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 1056	4256	rundll32.exe	81
PID 4256 wrote to memory of 1056	4256	rundll32.exe	81
PID 4256 wrote to memory of 1056	4256	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4afa6e5ddfcb3dd04cab7161b5f3947e602d65fdfb450fabf3f49c373b9bf0c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4afa6e5ddfcb3dd04cab7161b5f3947e602d65fdfb450fabf3f49c373b9bf0c.dll,#1
  2⤵
  PID:1056