yunsip | e326a4bc355e187429487d17f057a824f06c4f28eb3410dba2b8205b124fdbae

Analysis

max time kernel
26s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 17:34

Target

e326a4bc355e187429487d17f057a824f06c4f28eb3410dba2b8205b124fdbae.dll
Size

681KB
MD5

ebe260d301fa7f4c401b6aa7ad7c8d90
SHA1

dc1e9e2f8ad7ef4956320db8b2f7cb9bc87046c2
SHA256

e326a4bc355e187429487d17f057a824f06c4f28eb3410dba2b8205b124fdbae
SHA512

9a2910507102f93ef1b3937e940ac6e8caf047663251cc7f88af468b1839c7a88c64cf482f1dd400514449810a62395db60ea17e65248b2508c0b374ab55704b
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0J:jDgtfRQUHPw06MoV2nwTBlhm8x

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2040 wrote to memory of 960	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 960	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 960	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 960	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 960	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 960	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 960	2040	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e326a4bc355e187429487d17f057a824f06c4f28eb3410dba2b8205b124fdbae.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e326a4bc355e187429487d17f057a824f06c4f28eb3410dba2b8205b124fdbae.dll,#1
2⤵
PID:960

memory/960-54-0x0000000000000000-mapping.dmp

Download
memory/960-55-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download