yunsip | 3a6d635237c06523388c4fd2d324adaff5b6f98459cee975921a2250c65ce289

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 12:47

Target

8887a1397118b500e3b2982546c38710_NEAS.dll
Size

820KB
MD5

8887a1397118b500e3b2982546c38710
SHA1

8cbad0fe21d2c030d6b3b993afcb98a679f92caf
SHA256

3a6d635237c06523388c4fd2d324adaff5b6f98459cee975921a2250c65ce289
SHA512

a1f0837534b9e352d4b790bb58ce3a0f224b191aa318bfa28069d79496f3be5bb8ae5bb53bec8b41c59813b41aa9e6431f96f1e06552a56bb7f6f6acf27382b0
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYW:o6RI1Fo/wT3cJYYYYYYYYYYYYW

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1908	1904	rundll32.exe	28
PID 1904 wrote to memory of 1908	1904	rundll32.exe	28
PID 1904 wrote to memory of 1908	1904	rundll32.exe	28
PID 1904 wrote to memory of 1908	1904	rundll32.exe	28
PID 1904 wrote to memory of 1908	1904	rundll32.exe	28
PID 1904 wrote to memory of 1908	1904	rundll32.exe	28
PID 1904 wrote to memory of 1908	1904	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8887a1397118b500e3b2982546c38710_NEAS.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8887a1397118b500e3b2982546c38710_NEAS.dll,#1
  2⤵
  PID:1908