yunsip | ccf2b257e73da20556ae15488abb02e2c0d15b46e7036186ee6ab68ffb7c5ee7

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
06-11-2023 01:42

Target

NEAS.5e570d6b32ff73d56f710c5ab4147e10.dll
Size

1.0MB
MD5

5e570d6b32ff73d56f710c5ab4147e10
SHA1

2de75b526aaa19c5444eec5bf18e2c42a0696db8
SHA256

ccf2b257e73da20556ae15488abb02e2c0d15b46e7036186ee6ab68ffb7c5ee7
SHA512

068e67c6952ba0b962eb5b378d3bf682b05a71a14ef3e3ad688a962d1da11b5611072df5e48c33a7df07719346ae86224bc8dd10f6e1872087ddf72c5552b609
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0o:jDgtfRQUHPw06MoV2nwTBlhm8A

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2896	2680	rundll32.exe	28
PID 2680 wrote to memory of 2896	2680	rundll32.exe	28
PID 2680 wrote to memory of 2896	2680	rundll32.exe	28
PID 2680 wrote to memory of 2896	2680	rundll32.exe	28
PID 2680 wrote to memory of 2896	2680	rundll32.exe	28
PID 2680 wrote to memory of 2896	2680	rundll32.exe	28
PID 2680 wrote to memory of 2896	2680	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e570d6b32ff73d56f710c5ab4147e10.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e570d6b32ff73d56f710c5ab4147e10.dll,#1
  2⤵
  PID:2896