yunsip | 24cdf72cffd9e2741cb98a0b0c2999ebd43213bb745bff99b09aef31522503c0

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 19:42

Target

38d3ef59908649a92b60d4af7e57f14d.dll
Size

354KB
MD5

38d3ef59908649a92b60d4af7e57f14d
SHA1

bc2c31ad2f71ba29bc00860c731b9bbafdaecc66
SHA256

24cdf72cffd9e2741cb98a0b0c2999ebd43213bb745bff99b09aef31522503c0
SHA512

c55ce681d8d2a09493085314c3b269746b6514b59b06a34a58219c4f46d49aa9d7cd67911b59acdc52e32ccaf13e0798b68ddb9194bb54b65b6d56903ec10416
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0A:jDgtfRQUHPw06MoV2nwTBlhm84

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1904	2532	rundll32.exe	15
PID 2532 wrote to memory of 1904	2532	rundll32.exe	15
PID 2532 wrote to memory of 1904	2532	rundll32.exe	15
PID 2532 wrote to memory of 1904	2532	rundll32.exe	15
PID 2532 wrote to memory of 1904	2532	rundll32.exe	15
PID 2532 wrote to memory of 1904	2532	rundll32.exe	15
PID 2532 wrote to memory of 1904	2532	rundll32.exe	15

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\38d3ef59908649a92b60d4af7e57f14d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\38d3ef59908649a92b60d4af7e57f14d.dll,#1
  2⤵
  PID:1904