yunsip | 3384f95ca83e0d4df6ed7470721b684dc3c12d8ba7a604cfc89d70185eb082a3

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 20:15

Target

3384f95ca83e0d4df6ed7470721b684dc3c12d8ba7a604cfc89d70185eb082a3.dll
Size

697KB
MD5

6a94421fa081a941fc1c4fd4deda5880
SHA1

bbdbfd6401887daa3a18a06ea6a84f5191b0cd84
SHA256

3384f95ca83e0d4df6ed7470721b684dc3c12d8ba7a604cfc89d70185eb082a3
SHA512

5e4f05344216b5ce07fe457c5bb4c3f8e59d7876b546a09d8829f32fd285909cf8a4bb1b8763f252a89e231cf3cb1bb1f90ace03b7c1b2bf5f693da10e1261b4
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYC:o6RI1Fo/wT3cJYYYYYYYYYYYYC

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 4836	532	rundll32.exe	91
PID 532 wrote to memory of 4836	532	rundll32.exe	91
PID 532 wrote to memory of 4836	532	rundll32.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3384f95ca83e0d4df6ed7470721b684dc3c12d8ba7a604cfc89d70185eb082a3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3384f95ca83e0d4df6ed7470721b684dc3c12d8ba7a604cfc89d70185eb082a3.dll,#1
  2⤵
  PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:4576