yunsip | 864c542b34b45ff3a6a8a613453b8abfc86260edbb24f9bd07699d2ab3df7784

Analysis

max time kernel
92s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 22:58

Target

864c542b34b45ff3a6a8a613453b8abfc86260edbb24f9bd07699d2ab3df7784.dll
Size

714KB
MD5

b30609cbcf995e5f5a428c65c0cb89df
SHA1

d982c77af8e783e11130759ba4a159f3fcd0772d
SHA256

864c542b34b45ff3a6a8a613453b8abfc86260edbb24f9bd07699d2ab3df7784
SHA512

dcb45494baf8587b0d3e301422ac47be5e109d275c45434a5850dbe4b21253959483dcaad54111f9f3416fb0fb0827d1d455d181ce292ca3df33a0c3e53ccfe4
SSDEEP

1536:xGDOFSxjmiBu1Os57IXLUxUX0uX+u8Dj7XE+40b0vwjb87uGl0xQsv:wqFSxjolNmzX0Xu8vAn204jb+uHxQsv

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

UPX dump on OEP (original entry point) 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3440-0-0x0000000010000000-0x0000000010025000-memory.dmp	UPX

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/3440-0-0x0000000010000000-0x0000000010025000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4824 wrote to memory of 3440	4824	rundll32.exe	rundll32.exe
PID 4824 wrote to memory of 3440	4824	rundll32.exe	rundll32.exe
PID 4824 wrote to memory of 3440	4824	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\864c542b34b45ff3a6a8a613453b8abfc86260edbb24f9bd07699d2ab3df7784.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\864c542b34b45ff3a6a8a613453b8abfc86260edbb24f9bd07699d2ab3df7784.dll,#1
2⤵
PID:3440

memory/3440-0-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download