yunsip | 657d3745b790d760e1e457e965dbcea0e2881c3cd6d29ffd5bde156c3222cefa

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 22:53

Target

657d3745b790d760e1e457e965dbcea0e2881c3cd6d29ffd5bde156c3222cefa.dll
Size

181KB
MD5

de03adcb2cf60b8fbee2992c812d683b
SHA1

f4509af323aa23032265b29e8efc2eb0d388b887
SHA256

657d3745b790d760e1e457e965dbcea0e2881c3cd6d29ffd5bde156c3222cefa
SHA512

095e38feaf22895d99fb6458e324677efee6b6efd9e791e440cac7ec6691d1acfced1cec4f883efb59b5924d17624ca69167c88b7beb930f3cd25eaf707317b2
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q08:jDgtfRQUHPw06MoV2nwTBlhm8E

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2156	1656	rundll32.exe	28
PID 1656 wrote to memory of 2156	1656	rundll32.exe	28
PID 1656 wrote to memory of 2156	1656	rundll32.exe	28
PID 1656 wrote to memory of 2156	1656	rundll32.exe	28
PID 1656 wrote to memory of 2156	1656	rundll32.exe	28
PID 1656 wrote to memory of 2156	1656	rundll32.exe	28
PID 1656 wrote to memory of 2156	1656	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\657d3745b790d760e1e457e965dbcea0e2881c3cd6d29ffd5bde156c3222cefa.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\657d3745b790d760e1e457e965dbcea0e2881c3cd6d29ffd5bde156c3222cefa.dll,#1
  2⤵
  PID:2156