yunsip | bec544636e477bab30a62d401557985642ca3f757c73e481458ac9f7a2e98236

Analysis

max time kernel
122s
max time network
143s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 17:40

Target

NEAS.189b1c539080b979f5c5afbd65fc2940_JC.dll
Size

670KB
MD5

189b1c539080b979f5c5afbd65fc2940
SHA1

b5a3252ac8454d22855376c0f479763eea539f3f
SHA256

bec544636e477bab30a62d401557985642ca3f757c73e481458ac9f7a2e98236
SHA512

59b612878c5e23e1147996c613ed76488dd4dec051456df4e292f0ddcdc84864152bd08d634d9cd78825f09f526da4f91350b163dff6df99935a42729c91dfa3
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYY7:o6RI1Fo/wT3cJYYYYYYYYYYYY7

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2184	2016	rundll32.exe	28
PID 2016 wrote to memory of 2184	2016	rundll32.exe	28
PID 2016 wrote to memory of 2184	2016	rundll32.exe	28
PID 2016 wrote to memory of 2184	2016	rundll32.exe	28
PID 2016 wrote to memory of 2184	2016	rundll32.exe	28
PID 2016 wrote to memory of 2184	2016	rundll32.exe	28
PID 2016 wrote to memory of 2184	2016	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.189b1c539080b979f5c5afbd65fc2940_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.189b1c539080b979f5c5afbd65fc2940_JC.dll,#1
  2⤵
  PID:2184