yunsip | b7acade5e2e7a98a178da5e5cc9f09f3fd425c6ef31a29fbd475674ca6b3a7db

Analysis

max time kernel
144s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 01:43

Target

b7acade5e2e7a98a178da5e5cc9f09f3fd425c6ef31a29fbd475674ca6b3a7db.dll
Size

1.0MB
MD5

2a193e094ef3fa342b9180bbae57cf50
SHA1

3d7607793f187f9b184881f96a5a10e6e107b0b9
SHA256

b7acade5e2e7a98a178da5e5cc9f09f3fd425c6ef31a29fbd475674ca6b3a7db
SHA512

ace8baa12b972c30dae7fd9d819c12704ba4a4274c8287bc6a6af5cdae2168deb2c52eaa5cf2ce4b4d7e7952e8a4e49c45202ac51ccc5b361667f5d7e9544ff3
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYz:o6RI1Fo/wT3cJYYYYYYYYYYYYz

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4576 wrote to memory of 4860	4576	rundll32.exe	rundll32.exe
PID 4576 wrote to memory of 4860	4576	rundll32.exe	rundll32.exe
PID 4576 wrote to memory of 4860	4576	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7acade5e2e7a98a178da5e5cc9f09f3fd425c6ef31a29fbd475674ca6b3a7db.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7acade5e2e7a98a178da5e5cc9f09f3fd425c6ef31a29fbd475674ca6b3a7db.dll,#1
2⤵
PID:4860