yunsip | 55d56ff650ccc8e151182aeb5144d8c5ec281286ad5ba3756b29a972b5105643

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 18:29

Target

55d56ff650ccc8e151182aeb5144d8c5ec281286ad5ba3756b29a972b5105643.dll
Size

438KB
MD5

49753dd9fe4bede8e1791844db189080
SHA1

fd55ebeef85abb56d4d244822493dafea962af39
SHA256

55d56ff650ccc8e151182aeb5144d8c5ec281286ad5ba3756b29a972b5105643
SHA512

26b80a80d7b85952b67a2c3425d2f4d74f3b3864ab58f371ef18998c51338f21099206653fff368b1bad1c309baa11014dd58bc27db9e3becf5dcc0a281b2111
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDG:o6C5AXbMn7UI1FoV2gwTBlrIckPM

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2024	1900	rundll32.exe	27
PID 1900 wrote to memory of 2024	1900	rundll32.exe	27
PID 1900 wrote to memory of 2024	1900	rundll32.exe	27
PID 1900 wrote to memory of 2024	1900	rundll32.exe	27
PID 1900 wrote to memory of 2024	1900	rundll32.exe	27
PID 1900 wrote to memory of 2024	1900	rundll32.exe	27
PID 1900 wrote to memory of 2024	1900	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\55d56ff650ccc8e151182aeb5144d8c5ec281286ad5ba3756b29a972b5105643.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\55d56ff650ccc8e151182aeb5144d8c5ec281286ad5ba3756b29a972b5105643.dll,#1
  2⤵
  PID:2024

memory/2024-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download