yunsip | 486b7a2f68505d1d3b8189973ec7d634c0a9120a65b299201b7aa6a8390dbbd1

Analysis

max time kernel
119s
max time network
133s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 14:16

Target

NEAS.5829eb14e2563ae496ed5a94516199b0_JC.dll
Size

621KB
MD5

5829eb14e2563ae496ed5a94516199b0
SHA1

4220e8d69aed40bfee6b0cad29a8803d076fcec4
SHA256

486b7a2f68505d1d3b8189973ec7d634c0a9120a65b299201b7aa6a8390dbbd1
SHA512

88083e6dfeac05a16dae39ccd68ce2c76d7e271e42343fa627d201bbdf2c08803fad75aee102dfff45123dd33ba49c454c5ae97cce3291a24e1b59164ec6c1b5
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYF:o6RI1Fo/wT3cJYYYYYYYYYYYYF

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2020	1088	rundll32.exe	27
PID 1088 wrote to memory of 2020	1088	rundll32.exe	27
PID 1088 wrote to memory of 2020	1088	rundll32.exe	27
PID 1088 wrote to memory of 2020	1088	rundll32.exe	27
PID 1088 wrote to memory of 2020	1088	rundll32.exe	27
PID 1088 wrote to memory of 2020	1088	rundll32.exe	27
PID 1088 wrote to memory of 2020	1088	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5829eb14e2563ae496ed5a94516199b0_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5829eb14e2563ae496ed5a94516199b0_JC.dll,#1
  2⤵
  PID:2020