yunsip | 8db234bb8ded3b18fb90ff275e52e7fc6ffa33bb5d6ae6b4e6e71b13e657727e

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 22:43

Target

8db234bb8ded3b18fb90ff275e52e7fc6ffa33bb5d6ae6b4e6e71b13e657727e.dll
Size

1.0MB
MD5

c7f662f359211554872ad503383fc3b5
SHA1

6f29f0b9bd94d8bc0fc93e47c8a53674463a0f12
SHA256

8db234bb8ded3b18fb90ff275e52e7fc6ffa33bb5d6ae6b4e6e71b13e657727e
SHA512

9ff9ba75dee7d2923d8f81b01eb13c1dfd66d53da20457cb04e0948b4478a52d0f2308ad3a1d9eeb2db75604bbe03312640b7427b4dc311a0c8969791b91c315
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYv:o6RI1Fo/wT3cJYYYYYYYYYYYYv

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 5008	3348	rundll32.exe	87
PID 3348 wrote to memory of 5008	3348	rundll32.exe	87
PID 3348 wrote to memory of 5008	3348	rundll32.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8db234bb8ded3b18fb90ff275e52e7fc6ffa33bb5d6ae6b4e6e71b13e657727e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8db234bb8ded3b18fb90ff275e52e7fc6ffa33bb5d6ae6b4e6e71b13e657727e.dll,#1
  2⤵
  PID:5008