yunsip | 20040f38eb2c9314ef5e4ce5031d68da417f89d18982e0b75aeb62eabf94d035

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-05-2024 19:27

Target

20040f38eb2c9314ef5e4ce5031d68da417f89d18982e0b75aeb62eabf94d035.dll
Size

655KB
MD5

8f0bc484251bac509a9906c379e4b8bf
SHA1

424b37a48c771acea6c82d00f8146c3374c85666
SHA256

20040f38eb2c9314ef5e4ce5031d68da417f89d18982e0b75aeb62eabf94d035
SHA512

7887cb4b6b859a9df363787135608ee2193d3f66175b1d22f904b590c26948d163a0f8d875af890ab238f6801c70bfd1777069883bef514a3d64c2e15d060c8e
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYv:o6RI1Fo/wT3cJYYYYYYYYYYYYv

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 860	1660	rundll32.exe	28
PID 1660 wrote to memory of 860	1660	rundll32.exe	28
PID 1660 wrote to memory of 860	1660	rundll32.exe	28
PID 1660 wrote to memory of 860	1660	rundll32.exe	28
PID 1660 wrote to memory of 860	1660	rundll32.exe	28
PID 1660 wrote to memory of 860	1660	rundll32.exe	28
PID 1660 wrote to memory of 860	1660	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\20040f38eb2c9314ef5e4ce5031d68da417f89d18982e0b75aeb62eabf94d035.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\20040f38eb2c9314ef5e4ce5031d68da417f89d18982e0b75aeb62eabf94d035.dll,#1
  2⤵
  PID:860