yunsip | b4c3a3da649e7a85c6a2bb283a77c0e98ceee6f5fe4e0bddc08d7020a645885c

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 18:29

Target

b4c3a3da649e7a85c6a2bb283a77c0e98ceee6f5fe4e0bddc08d7020a645885c.dll
Size

433KB
MD5

5b1c12525cb68670bdf9c2f1b4d59226
SHA1

50c4d1d7690a59aacdc8d012c35cbbf007c460b2
SHA256

b4c3a3da649e7a85c6a2bb283a77c0e98ceee6f5fe4e0bddc08d7020a645885c
SHA512

24cec7ff3e67f3ea306cccb2ecd79d46182210ae1361bc6401d9d9045ee049adae947b63ca0fb7a79402242393fbfed0d7477ef5b77a899df910cb8ba142aad2
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDy:o6C5AXbMn7UI1FoV2gwTBlrIckP4

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2260	2472	rundll32.exe	83
PID 2472 wrote to memory of 2260	2472	rundll32.exe	83
PID 2472 wrote to memory of 2260	2472	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4c3a3da649e7a85c6a2bb283a77c0e98ceee6f5fe4e0bddc08d7020a645885c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4c3a3da649e7a85c6a2bb283a77c0e98ceee6f5fe4e0bddc08d7020a645885c.dll,#1
  2⤵
  PID:2260