yunsip | a2b39e5fae4dd5ebd739e2b67917247ff3b64181f6a428eb54e5f7124bdf5574

Analysis

max time kernel
176s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2023 14:53

Target

818129c0636adee326d71f8d02aa5c80_dll32_JC.dll
Size

172KB
MD5

818129c0636adee326d71f8d02aa5c80
SHA1

a3df2a89e80d3ce5eda1455fcba7216cb3b33269
SHA256

a2b39e5fae4dd5ebd739e2b67917247ff3b64181f6a428eb54e5f7124bdf5574
SHA512

8ad4dca83f0740ce15058b9e1fd977b818bedf881211aaf5104593fc55080384e43b4256d960530725ac15cd16de264184f672ceea99a599faa2179db6681321
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0X:jDgtfRQUHPw06MoV2nwTBlhm8v

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 2952	4648	rundll32.exe	83
PID 4648 wrote to memory of 2952	4648	rundll32.exe	83
PID 4648 wrote to memory of 2952	4648	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\818129c0636adee326d71f8d02aa5c80_dll32_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\818129c0636adee326d71f8d02aa5c80_dll32_JC.dll,#1
  2⤵
  PID:2952