yunsip | 657d3745b790d760e1e457e965dbcea0e2881c3cd6d29ffd5bde156c3222cefa

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 22:53

Target

657d3745b790d760e1e457e965dbcea0e2881c3cd6d29ffd5bde156c3222cefa.dll
Size

181KB
MD5

de03adcb2cf60b8fbee2992c812d683b
SHA1

f4509af323aa23032265b29e8efc2eb0d388b887
SHA256

657d3745b790d760e1e457e965dbcea0e2881c3cd6d29ffd5bde156c3222cefa
SHA512

095e38feaf22895d99fb6458e324677efee6b6efd9e791e440cac7ec6691d1acfced1cec4f883efb59b5924d17624ca69167c88b7beb930f3cd25eaf707317b2
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q08:jDgtfRQUHPw06MoV2nwTBlhm8E

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1848 wrote to memory of 1680	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 1680	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 1680	1848	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\657d3745b790d760e1e457e965dbcea0e2881c3cd6d29ffd5bde156c3222cefa.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\657d3745b790d760e1e457e965dbcea0e2881c3cd6d29ffd5bde156c3222cefa.dll,#1
2⤵
PID:1680