yunsip | b0af7d29c3a7665389ec805deb6b035814ef4be83bc4147484f6dbc34cfb0d3a

Analysis

max time kernel
36s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 17:39

Target

b0af7d29c3a7665389ec805deb6b035814ef4be83bc4147484f6dbc34cfb0d3a.dll
Size

294KB
MD5

74773b5ea39c25876cb2e36725c3b9c4
SHA1

c70e3c6ab1be1edca9175c118eda59b8dddd990d
SHA256

b0af7d29c3a7665389ec805deb6b035814ef4be83bc4147484f6dbc34cfb0d3a
SHA512

a5b9044f107d31d7eca4ab0da7fd554cae01682cb054ad5e4fa862b96ba8d28febcaec1e5c0aa0052e838b2e50ce375deb006f17f66d6096ead1e923ec44c77b
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0O:jDgtfRQUHPw06MoV2nwTBlhm8m

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1852	1424	rundll32.exe	26
PID 1424 wrote to memory of 1852	1424	rundll32.exe	26
PID 1424 wrote to memory of 1852	1424	rundll32.exe	26
PID 1424 wrote to memory of 1852	1424	rundll32.exe	26
PID 1424 wrote to memory of 1852	1424	rundll32.exe	26
PID 1424 wrote to memory of 1852	1424	rundll32.exe	26
PID 1424 wrote to memory of 1852	1424	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0af7d29c3a7665389ec805deb6b035814ef4be83bc4147484f6dbc34cfb0d3a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0af7d29c3a7665389ec805deb6b035814ef4be83bc4147484f6dbc34cfb0d3a.dll,#1
  2⤵
  PID:1852

memory/1852-55-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download