yunsip | ca2f1d0264f9611e1fd9477b5a4feb32d50be6f3595257b4af6ef019fc1b13c2

Analysis

max time kernel
0s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 02:31

Target

ca2f1d0264f9611e1fd9477b5a4feb32d50be6f3595257b4af6ef019fc1b13c2.dll
Size

1.0MB
MD5

9b90f9eae047b5669e43a619e70ccba6
SHA1

e83abeb1ed914637659bbc5010810d874101892f
SHA256

ca2f1d0264f9611e1fd9477b5a4feb32d50be6f3595257b4af6ef019fc1b13c2
SHA512

54f786f5e663ea78028ba40186889c207cdd8364ed53865406d3550d4206c7fc7073ce77695a278c8c51b18ff16dde7e1f05a3e99a944fcce9fadfe8938d41cd
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYY1:o6RI1Fo/wT3cJYYYYYYYYYYYY1

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 3356	4720	rundll32.exe	83
PID 4720 wrote to memory of 3356	4720	rundll32.exe	83
PID 4720 wrote to memory of 3356	4720	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca2f1d0264f9611e1fd9477b5a4feb32d50be6f3595257b4af6ef019fc1b13c2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca2f1d0264f9611e1fd9477b5a4feb32d50be6f3595257b4af6ef019fc1b13c2.dll,#1
  2⤵
  PID:3356