yunsip | 354f5d2ab8051c82e457800a19a7fca42857a10db2ce7cda10978884f026cf7a

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 18:54

Target

354f5d2ab8051c82e457800a19a7fca42857a10db2ce7cda10978884f026cf7a.dll
Size

737KB
MD5

3f922f03ad1079988ee73564861764fa
SHA1

115a232205c030eb0632e938fc6ef0c20fe36373
SHA256

354f5d2ab8051c82e457800a19a7fca42857a10db2ce7cda10978884f026cf7a
SHA512

ad1f7b31c5119a125d2b1c0e3cf11b808375d459a97a0d3363d9e71a787e9db5d5adb2282d14da5e422e46bc552abda6b2c529d36391dc26a355cf1a1b607e9d
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYG:o6RI1Fo/wT3cJYYYYYYYYYYYYG

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1880	2332	rundll32.exe	28
PID 2332 wrote to memory of 1880	2332	rundll32.exe	28
PID 2332 wrote to memory of 1880	2332	rundll32.exe	28
PID 2332 wrote to memory of 1880	2332	rundll32.exe	28
PID 2332 wrote to memory of 1880	2332	rundll32.exe	28
PID 2332 wrote to memory of 1880	2332	rundll32.exe	28
PID 2332 wrote to memory of 1880	2332	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\354f5d2ab8051c82e457800a19a7fca42857a10db2ce7cda10978884f026cf7a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\354f5d2ab8051c82e457800a19a7fca42857a10db2ce7cda10978884f026cf7a.dll,#1
  2⤵
  PID:1880