yunsip | 9f5b4f476d85d0c7b3588082e8e84382f0376b04fbe12c619914112a0f609c4e

Analysis

max time kernel
91s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 00:45

Target

9f5b4f476d85d0c7b3588082e8e84382f0376b04fbe12c619914112a0f609c4e.dll
Size

669KB
MD5

ee3713ddeeed1b8bc08570f135790359
SHA1

9e820ed3e4fe86f15cb78a2bf1be0ab37644aef3
SHA256

9f5b4f476d85d0c7b3588082e8e84382f0376b04fbe12c619914112a0f609c4e
SHA512

073a4c1557a0b52f0c98461691f739a31e4f77a8b764ad5ef150edcdd26eacae63ec01f5b89ea6d7620b858495149c05ea7cad5472638d0bac1225a56ba06785
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYo:o6RI1Fo/wT3cJYYYYYYYYYYYYo

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 4008	1452	rundll32.exe	83
PID 1452 wrote to memory of 4008	1452	rundll32.exe	83
PID 1452 wrote to memory of 4008	1452	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9f5b4f476d85d0c7b3588082e8e84382f0376b04fbe12c619914112a0f609c4e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9f5b4f476d85d0c7b3588082e8e84382f0376b04fbe12c619914112a0f609c4e.dll,#1
  2⤵
  PID:4008