yunsip | 60b81c1c10543f20b98e12da96cccbaaa2b69ab87fb83061406b178abd6df49c

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
24-10-2023 00:40

Target

NEAS.e5797f23767ba9dd19d64a4d00bc3cc0_JC.dll
Size

1020KB
MD5

e5797f23767ba9dd19d64a4d00bc3cc0
SHA1

dc162945f11f8a4fe78cc71360f39d4e2221ebed
SHA256

60b81c1c10543f20b98e12da96cccbaaa2b69ab87fb83061406b178abd6df49c
SHA512

06e1feee531a7fe7132adb1589f344cda7436acc3e4711041d513b27c387243bdd803681b9d5effccdf684ad5020ffdd27e380ed0628bc41cb45f915fc992836
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYY0:o6RI1Fo/wT3cJYYYYYYYYYYYY0

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1412	2216	rundll32.exe	28
PID 2216 wrote to memory of 1412	2216	rundll32.exe	28
PID 2216 wrote to memory of 1412	2216	rundll32.exe	28
PID 2216 wrote to memory of 1412	2216	rundll32.exe	28
PID 2216 wrote to memory of 1412	2216	rundll32.exe	28
PID 2216 wrote to memory of 1412	2216	rundll32.exe	28
PID 2216 wrote to memory of 1412	2216	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.e5797f23767ba9dd19d64a4d00bc3cc0_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.e5797f23767ba9dd19d64a4d00bc3cc0_JC.dll,#1
  2⤵
  PID:1412