yunsip | e9c20db70415f392a395232fb5d50a9fa5e93137d8159aacca804c670fc63c2a

Analysis

max time kernel
55s
max time network
33s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 19:15

Target

NEAS.d75d747c8f668fdf76740edb1bf3e3e0.dll
Size

779KB
MD5

d75d747c8f668fdf76740edb1bf3e3e0
SHA1

eab47185835278f775cd306a67215b1aee94d3bf
SHA256

e9c20db70415f392a395232fb5d50a9fa5e93137d8159aacca804c670fc63c2a
SHA512

1cdb18aab83f60a589c5fd3ed107dcaab381a940f95a26fc52be3d3665c79e5fa487df2fcf557ac1ca7606b5917e2555b7483c725019ad9ee2557d2761fa646a
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYY+:o6RI1Fo/wT3cJYYYYYYYYYYYY+

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2648	2676	rundll32.exe	29
PID 2676 wrote to memory of 2648	2676	rundll32.exe	29
PID 2676 wrote to memory of 2648	2676	rundll32.exe	29
PID 2676 wrote to memory of 2648	2676	rundll32.exe	29
PID 2676 wrote to memory of 2648	2676	rundll32.exe	29
PID 2676 wrote to memory of 2648	2676	rundll32.exe	29
PID 2676 wrote to memory of 2648	2676	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d75d747c8f668fdf76740edb1bf3e3e0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d75d747c8f668fdf76740edb1bf3e3e0.dll,#1
  2⤵
  PID:2648