yunsip | 5812fd07c00eae84647ae2f065dcc64d60d59e08a218be2f3322cf6ec7d91d3e

Analysis

max time kernel
77s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 05:22

Target

5812fd07c00eae84647ae2f065dcc64d60d59e08a218be2f3322cf6ec7d91d3e.dll
Size

357KB
MD5

7e52e65b3563902830b964ba4197958f
SHA1

6444152508aff131a55bc4189e4b1f5b4c03c010
SHA256

5812fd07c00eae84647ae2f065dcc64d60d59e08a218be2f3322cf6ec7d91d3e
SHA512

ae8c6900191f56ffbe8a3c517a955a5a3f1d47478344fa66f40363b5a12db6b2bf27e125face02cd16abeb15e128058e9ecb7e7faf6e857cf9d1b056796a72dd
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0z:jDgtfRQUHPw06MoV2nwTBlhm8r

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 668 wrote to memory of 1680	668	rundll32.exe	rundll32.exe
PID 668 wrote to memory of 1680	668	rundll32.exe	rundll32.exe
PID 668 wrote to memory of 1680	668	rundll32.exe	rundll32.exe
PID 668 wrote to memory of 1680	668	rundll32.exe	rundll32.exe
PID 668 wrote to memory of 1680	668	rundll32.exe	rundll32.exe
PID 668 wrote to memory of 1680	668	rundll32.exe	rundll32.exe
PID 668 wrote to memory of 1680	668	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5812fd07c00eae84647ae2f065dcc64d60d59e08a218be2f3322cf6ec7d91d3e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5812fd07c00eae84647ae2f065dcc64d60d59e08a218be2f3322cf6ec7d91d3e.dll,#1
2⤵
PID:1680

memory/1680-54-0x0000000000000000-mapping.dmp

Download
memory/1680-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download