yunsip | 63613a37f5be1021919da42d3c0863d58f709b63b08f272f1118fd0c1f6d3e30

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
25-10-2023 00:32

Target

NEAS.4e5af707cca5d4975ec90188782abc10.dll
Size

676KB
MD5

4e5af707cca5d4975ec90188782abc10
SHA1

a3d02dd03c9cc11b14ffc1794575231f763156fe
SHA256

63613a37f5be1021919da42d3c0863d58f709b63b08f272f1118fd0c1f6d3e30
SHA512

d6d28d53451fa7397031f792af1ca3efb9f3d20234c1e060bbc6e3feca97174636f5eb32bdcc5b0b09becfa5c7016fcaa29cd726683260d871edabe455944c15
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYr:o6RI1Fo/wT3cJYYYYYYYYYYYYr

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1356	3068	rundll32.exe	28
PID 3068 wrote to memory of 1356	3068	rundll32.exe	28
PID 3068 wrote to memory of 1356	3068	rundll32.exe	28
PID 3068 wrote to memory of 1356	3068	rundll32.exe	28
PID 3068 wrote to memory of 1356	3068	rundll32.exe	28
PID 3068 wrote to memory of 1356	3068	rundll32.exe	28
PID 3068 wrote to memory of 1356	3068	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.4e5af707cca5d4975ec90188782abc10.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.4e5af707cca5d4975ec90188782abc10.dll,#1
  2⤵
  PID:1356