yunsip | 64c31efdbe118bb81e41cf1677d75649df07cb36451f922216b54d276607b893

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 22:23

Target

64c31efdbe118bb81e41cf1677d75649df07cb36451f922216b54d276607b893.dll
Size

618KB
MD5

18ef9398f03dba2d28e48d3795de4b4a
SHA1

ab401a6f684ecf15073b031adfc52de6bbd52165
SHA256

64c31efdbe118bb81e41cf1677d75649df07cb36451f922216b54d276607b893
SHA512

c84a4de650cbd7b330bc0ae6f86e4c5ec4d0141ae1deefc5c2b313d77171945ac8ba5b94b85ee2ddf353eda1be1c94a2947d2a598f1e1d64c937612eda31ab6f
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYZ:o6RI1Fo/wT3cJYYYYYYYYYYYYZ

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1800	2224	rundll32.exe	28
PID 2224 wrote to memory of 1800	2224	rundll32.exe	28
PID 2224 wrote to memory of 1800	2224	rundll32.exe	28
PID 2224 wrote to memory of 1800	2224	rundll32.exe	28
PID 2224 wrote to memory of 1800	2224	rundll32.exe	28
PID 2224 wrote to memory of 1800	2224	rundll32.exe	28
PID 2224 wrote to memory of 1800	2224	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\64c31efdbe118bb81e41cf1677d75649df07cb36451f922216b54d276607b893.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\64c31efdbe118bb81e41cf1677d75649df07cb36451f922216b54d276607b893.dll,#1
  2⤵
  PID:1800