yunsip | ead9534a82414de311c5c65c32814cd2347b1153149852cd63d15dc0566b40c1

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
11-11-2023 06:05

Target

NEAS.6e91238e9bfe5289368814bb30eda6d0.dll
Size

883KB
MD5

6e91238e9bfe5289368814bb30eda6d0
SHA1

ead67847c966f99405f31242d4f817a239824991
SHA256

ead9534a82414de311c5c65c32814cd2347b1153149852cd63d15dc0566b40c1
SHA512

12039c70cc4ddab9f079ef33e4ace58e328bf90ec0a66f76fffa5592e9e2fac5d42019dee63e1244daec0fe7f12ba8d363682a1717b578d9f018f2645fad677e
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0M:jDgtfRQUHPw06MoV2nwTBlhm80

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2476 wrote to memory of 1732	2476	rundll32.exe	rundll32.exe
PID 2476 wrote to memory of 1732	2476	rundll32.exe	rundll32.exe
PID 2476 wrote to memory of 1732	2476	rundll32.exe	rundll32.exe
PID 2476 wrote to memory of 1732	2476	rundll32.exe	rundll32.exe
PID 2476 wrote to memory of 1732	2476	rundll32.exe	rundll32.exe
PID 2476 wrote to memory of 1732	2476	rundll32.exe	rundll32.exe
PID 2476 wrote to memory of 1732	2476	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.6e91238e9bfe5289368814bb30eda6d0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.6e91238e9bfe5289368814bb30eda6d0.dll,#1
2⤵
PID:1732