yunsip | b4c3a3da649e7a85c6a2bb283a77c0e98ceee6f5fe4e0bddc08d7020a645885c

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 18:29

Target

b4c3a3da649e7a85c6a2bb283a77c0e98ceee6f5fe4e0bddc08d7020a645885c.dll
Size

433KB
MD5

5b1c12525cb68670bdf9c2f1b4d59226
SHA1

50c4d1d7690a59aacdc8d012c35cbbf007c460b2
SHA256

b4c3a3da649e7a85c6a2bb283a77c0e98ceee6f5fe4e0bddc08d7020a645885c
SHA512

24cec7ff3e67f3ea306cccb2ecd79d46182210ae1361bc6401d9d9045ee049adae947b63ca0fb7a79402242393fbfed0d7477ef5b77a899df910cb8ba142aad2
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDy:o6C5AXbMn7UI1FoV2gwTBlrIckP4

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1636 wrote to memory of 1956	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 1956	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 1956	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 1956	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 1956	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 1956	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 1956	1636	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4c3a3da649e7a85c6a2bb283a77c0e98ceee6f5fe4e0bddc08d7020a645885c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4c3a3da649e7a85c6a2bb283a77c0e98ceee6f5fe4e0bddc08d7020a645885c.dll,#1
2⤵
PID:1956

memory/1956-54-0x0000000000000000-mapping.dmp

Download
memory/1956-55-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download