yunsip | 71824a0f2ead319c706c3de9c3591574bcab05bfbc10e06765f0d699108f823d

Analysis

max time kernel
118s
max time network
141s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15-10-2023 15:05

Target

b32ca1c6e254318327ecf8abc09668d0_dll32_JC.dll
Size

194KB
MD5

b32ca1c6e254318327ecf8abc09668d0
SHA1

6e7c2abe7c048d434f018812e7e1fdd550642a2b
SHA256

71824a0f2ead319c706c3de9c3591574bcab05bfbc10e06765f0d699108f823d
SHA512

a3ce88578c1d2152cdac01a132a7799beee6052332d9ed6ffc3b7db76725afbfa0f042e82a483504fe3027375b94ad41199222b7491568e9ab494d0cafe0b537
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0h:jDgtfRQUHPw06MoV2nwTBlhm8Z

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2200	856	rundll32.exe	29
PID 856 wrote to memory of 2200	856	rundll32.exe	29
PID 856 wrote to memory of 2200	856	rundll32.exe	29
PID 856 wrote to memory of 2200	856	rundll32.exe	29
PID 856 wrote to memory of 2200	856	rundll32.exe	29
PID 856 wrote to memory of 2200	856	rundll32.exe	29
PID 856 wrote to memory of 2200	856	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b32ca1c6e254318327ecf8abc09668d0_dll32_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b32ca1c6e254318327ecf8abc09668d0_dll32_JC.dll,#1
  2⤵
  PID:2200