yunsip | fbf183552d7edf8226f1a41c51e3bf90afd5d4e519f4a8088a153fb300fd7681

Analysis

max time kernel
40s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-01-2023 01:57

Target

fbf183552d7edf8226f1a41c51e3bf90afd5d4e519f4a8088a153fb300fd7681.dll
Size

526KB
MD5

51e8157abf646d4f2938208509a91960
SHA1

485de69d342bf1f65fc7c17f512faee487092976
SHA256

fbf183552d7edf8226f1a41c51e3bf90afd5d4e519f4a8088a153fb300fd7681
SHA512

f99a128199d0c363a9eb65488e71f8e9f234a079a7b659c5e9d077f31077a624f583d60150a59eaebfa6bef67194cbc334f74dcdfacffc65d10f37051343f09b
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0Y:jDgtfRQUHPw06MoV2nwTBlhm8Q

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1116	2036	rundll32.exe	26
PID 2036 wrote to memory of 1116	2036	rundll32.exe	26
PID 2036 wrote to memory of 1116	2036	rundll32.exe	26
PID 2036 wrote to memory of 1116	2036	rundll32.exe	26
PID 2036 wrote to memory of 1116	2036	rundll32.exe	26
PID 2036 wrote to memory of 1116	2036	rundll32.exe	26
PID 2036 wrote to memory of 1116	2036	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fbf183552d7edf8226f1a41c51e3bf90afd5d4e519f4a8088a153fb300fd7681.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fbf183552d7edf8226f1a41c51e3bf90afd5d4e519f4a8088a153fb300fd7681.dll,#1
  2⤵
  PID:1116

memory/1116-55-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download